...
This document will outline the Science Cloud maintenance and Flaw Remediation Plan for the Science Cloud environment the Science Cloud environment to include all Tenant accountsall Tenant accounts.
Scope
This plan applies to all Science Cloud and Tenantall Science Cloud and Tenant accounts in AWS Commercial and Azure Commercial.
Maintenance is limited to patching, upgrades, and configuration changes that affect or change the security posture of instances and/or applications in Science Cloud and Tenant accounts in Science Cloud and Tenant accounts (i.e OS monthly patching and application upgrades).
Flaw Remediation is limited to software updates and patches that address vulnerabilities.
Vulnerability*: A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.
*https://cve.mitre.org/about/terminology.html
RolesRoles
Science Cloud and Tenant Administrator Cloud and Tenant Administrator and Developer roles are the only ones allowed to perform maintenance and flaw remediation tasks.
Responsibilities
Science Cloud assigns Cloud assigns tasks to administrators with the appropriate skill-set to complete the work; Tenants must Tenants must do the same.
Science Cloud and Tenant Administrators Cloud and Tenant Administrators perform OS-level tasks.
Tenant administratorsTenant administrators, developers, application administrators, and/or database administrators perform application and/or database tasks.
Management Commitment
All maintenance and flaw remediation activities are performed with approval from the Science Cloud or Tenant Information the Science Cloud or Tenant Information System Owners (ISO).
Coordination Among Organizational Entities
Science Cloud system Cloud system administrators coordinate with all Tenants and all Tenants and external NASA entities to accomplish tasks in a timely fashion.
Compliance
Following NASA and NIST guidance, Science Cloud / Tenant Science Cloud / Tenant:
- performs controlled non-local maintenance;
- utilizes AWS services to perform maintenance;
- secures patches/updates from vendor sites and reputable patch sources;
- performs OS-level maintenance every 30 days;
- performs applications and/or database maintenance as patches are made available from vendors;
- performs out-of-cycle maintenance and flaw remediation* as severe vulnerabilities are identified and patches are made available;
- performs out-of-cycle maintenance and
- maintenance and flaw remediation* as
- as directed by NASA Security Operations Center (SOC) Mitigation
- Mitigation Action Requirement (MAR) notices;
- checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or flaw remediation actions.
*Note Flaw Note Flaw Remediation Categorization
Known Exploited Vulnerabilities (KEVs) [by the due date listed in the catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)]
...
All timelines for remediation are listed in SI-02 of the Science Cloud System Security Plan (SSP).
Procedures
Science Cloud utilizes Cloud utilizes AWS Systems Manager (SSM) to perform maintenance and flaw remediation tasks.
Science Cloud tracks Cloud tracks maintenance and flaw remediation tasks in Jira and Confluence.
Tenants are Tenants are encouraged to utilize SSM to perform tasks.
Both Science Cloud and Tenants will Both Science Cloud and Tenants will document maintenance and flaw remediation activities with the following information at a minimum:
Date(s) of Task
Type: Patch, Upgrade, Configuration Change
Activity Description
Affected Server(s), System(s), Application(s) and/or Database(s)
Task Performed By
Was Task Successful?
Failure Notes if any and what rollback procedures were followed.
Both Science Cloud and Tenants will retain maintenance Both Science Cloud and Tenants will retain maintenance logs in accordance with records retention requirements defined by NASA, which is a minimum of 1 year for retention.