StateRAMP Requirements for Vulnerability Scanning

vulnerability scanning featured

Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP has to say about vulnerability scanning, including frequency, reporting, and remediation requirements.


What Is Vulnerability Scanning?

Vulnerability scanning proactively searches for and identifies vulnerabilities in systems handling sensitive information. This practice helps organizations better understand the state of security within their systems and, when necessary, identify immediate issues that need addressing. 

Some of the defining aspects of vulnerability scanning include:

  • Automation: Vulnerability scans, while sometimes run manually, are more often than not automated to run at regular intervals, with the intent of maintaining accurate and up-to-date security information and system inventories. 
  • High-Level Examination: Unlike more hands-on penetration testing, vulnerability scans are generally “high level,” meaning they will find the most apparent and surface-level issues that can cause major issues down the road. 
  • System Specificity: Not all systems are created equal, and as such, there are unique scanning solutions that address these systems. That means scanning for networks, applications, databases, wireless networks, and edge-computing devices (to name a few).

Since a vulnerability scan will address several different systems and potential attack surfaces, these scans have to consider the potential context of an attack. 

The primary forms of vulnerability scans include:

  • External: These scans focus on components and systems that face end users or the Internet, including applications, websites, and services offered through APIs.
  • Internal: These scans focus on internal systems only accessible by organization personnel. These can also include applications, but will also include scans of internal networking devices and the interactions between systems and how data moves through the organization. 
  • Environmental: Environmental scans focus on computing environments and typically apply to large cloud deployments, mobile devices, and IoT devices.

The sheer variety of attack surfaces and potential vulnerabilities are legion. Every vulnerability leads to a greater understanding of these scans’ common families of issues.

Some common vulnerabilities caught in scans include:

  • Outdated Technology: Software and hardware that isn’t adequately retired and replaced can provide attacks with major security holes to exploit. These can include old operating systems, insecure storage devices, and outdated networking technologies.
  • Missing Security Patches: Outside of old or defunct systems, even properly-working software and hardware can become vulnerable if they aren’t appropriately patched. Vulnerability scans can assess a system’s health based on whether or not all components are patched against the latest vulnerabilities.
  • Vulnerable Encryption Modules: Older encryption methods can become outmoded as new hacking techniques emerge. Vulnerability scans can support module inventories such that when new standards or vulnerabilities appear, you can replace outmoded security and maintain compliance. 
  • Improper Web Input Handling: Common hacks come from user input into web applications and websites. Vulnerability scans will often check for common vulnerabilities that lead to SQL injection attacks and cross-site scripting.

These scans won’t catch more complex vulnerabilities, especially those resulting from complex issues like social engineering or complicated, interacting systems. However, with regular diligence, they can prevent threats that should remain easily preventable. 


What Are the StateRAMP Requirements for Vulnerability Scanning?

vulnerability scanning

Like its federal counterpart, StateRAMP includes requirements for vulnerability scanning. These requirements promote solid cyber hygiene while mitigating the smaller or more surface-level issues that can lead to significant breaches if left unattended. 

In terms of StateRAMP guidelines, there are some fundamental requirements:

  • Frequency: Compliant service providers must conduct vulnerability scans at least once per month. 
  • Vulnerability Scan Solutions: Service providers must use tools within their security implementation, which must operate within specific components of their IT infrastructure). These tools include operating system and network scanners, database vulnerability scanners, and web application scanners.
  • Conducting Scans: Initial vulnerability scans must be conducted by the service provider’s Third-Party Assessment Organization. 


Vulnerability Scan Documentation

The StateRAMP Project Management Office (PMO) must have all appropriate documentation to render decisions about continued authorization. This documentation should include:

  • Scanning Data: The service provider must provide the raw scan file data (in CSV or Excel) and exported summary documents (in PDF or Word). The summary report should include an executive summary, a detailed summary, and inventory reports. 
  • System Inventory: The service provider must also include a complete inventory of all system components within the authorization boundary, completed using the StateRAMP template.
  • Machine Readability: Vulnerabilities scans and inventory reports must be machine readable using unique identifiers like IP addresses, system names, etc.


Scanning Quality and Validation

Alongside the reports provided by the provider, there must be an established process to ensure the quality of the reports and results. These QA processes must include:

  • Authentication: Scans must be conducted using authentication credentials that allow full navigation of the scanned system to gain complete and accurate results. Unauthenticated scans will be rejected out of hand outside of select exemptions.
  • Plug-In Components: Any plug-ins or other components that may be optionally turned on must be activated during the scan to ensure they are scanned. Furthermore, if specific plug-ins are offered for the scanning solution, they must be configured to address all aspects of the scanned system.
  • Boundary Scanning: Scans cover all inventoried components within the system boundary.
  • Scanner Signatures: Service providers maintain up-to-date scanning solutions using the latest vulnerability signatures. The service provider must conduct an update before any scan to ensure that scanning engines and signature files are the latest versions.
  • Monthly POA&Ms: Any discovery of vulnerabilities or other potential risks must be included in a monthly Plan of Action and Milestones for formal recognition.


Vulnerability Remediation

Authorization must be remediated if vulnerabilities place a service provider out of StateRAMP Ready authorization. The PMO has a few options at this stage, each requiring action from the service provider. 

The StateRAMP PMO may:

  • Require that the service provider immediately rescan systems to confirm vulnerabilities, and these rescans may include configuration changes dictated by the PMO.
  • Require the 3PAO to perform additional future scans if the service provider doesn’t meet StateRAMP requirements to ensure objective testing results.
  • Call for a Corrective Action Plan if there are continuing issues found during scans that the service provider cannot, or will not, address in a timely manner. 
  • Revoke Ready status for failure to meet requirements. The StateRAMP PMO, the Approvals Committee, or the Authorizing Official can revoke authorization for failure to meet requirements under a vulnerability scan. 


Streamline StateRAMP Scanning with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under StateRAMP and make it an easy and timely part of business in the public sector. It is always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • DFARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC