To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST Special Publication (SP) 800-63B, which requires the use of FIPS 140 validated encryption for MFA tools. While agencies may accept risk by allowing a CSP to work through POA&M actions to achieve compliance with NIST SP 800-63B requirements, a Readiness Assessment Report (RAR) has no authorizing official to accept and approve risk for open POA&Ms. A FedRAMP Ready designation indicates to agencies that a cloud service can be authorized without significant risk or delay due to noncompliance. The use of FIPS 140 validated cryptographic modules, where encryption is required, is a federal mandate, as indicated in the RAR template. This applies to MFA tools as well.
The FedRAMP PMO has provided additional resources below that apply to all MFA tools, where required (authenticators and verifiers).
MFA resources:
- There are two notable exceptions to the FIPS 140 requirement for authenticators in SP 800-63. These are:
- On low baseline systems, FIPS 140 validated crypto modules are only required for MFA verifiers, not authenticators.
- On Moderate baseline systems, user-provided (“bring-your-own”) authenticators are exempt from having to meet FIPS 140 requirements, particularly in the government-to-public use case. Note: This exemption does not apply to CSP personnel. The FIPS 140 requirement still applies to CSP employee and contractor authenticators.
- NIST SP 800-63 is a complex set of documents that should be reviewed by any organization implementing MFA for a government system. In addition to the base standards document, NIST provides additional resources that may be helpful..
Comments
0 comments
Please sign in to leave a comment.