View Source

Purpose

This document will outline the Science Cloud maintenance and Flaw Remediation Plan for the Science Cloud environment to include all Tenant accounts.

Scope

This plan applies to all Science Cloud and Tenant accounts in AWS Commercial and Azure Commercial.

Maintenance is limited to patching, upgrades, and configuration changes that affect or change the security posture of instances and/or applications in Science Cloud and Tenant accounts (i.e OS monthly patching and application upgrades).

Flaw Remediation is limited to software updates and patches that address vulnerabilities.

Vulnerability*: A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

*https://cve.mitre.org/about/terminology.html

Roles

Science Cloud and Tenant Administrator and Developer roles are the only ones allowed to perform maintenance and flaw remediation tasks.

Responsibilities

Science Cloud assigns tasks to administrators with the appropriate skill-set to complete the work; Tenants must do the same.

Science Cloud and Tenant Administrators perform OS-level tasks.

Tenant administrators, developers, application administrators, and/or database administrators perform application and/or database tasks.

Management Commitment

All maintenance and flaw remediation activities are performed with approval from the Science Cloud or Tenant Information System Owners (ISO).

Coordination Among Organizational Entities

Science Cloud system administrators coordinate with all Tenants and external NASA entities to accomplish tasks in a timely fashion.

Compliance

Following NASA and NIST guidance, Science Cloud / Tenant:

performs controlled non-local maintenance;
utilizes AWS services to perform maintenance;
secures patches/updates from vendor sites and reputable patch sources;
performs OS-level maintenance every 30 days;
performs applications and/or database maintenance as patches are made available from vendors;
performs out-of-cycle maintenance and flaw remediation* as severe vulnerabilities are identified and patches are made available;
performs out-of-cycle maintenance and flaw remediation* as directed by NASA Security Operations Center (SOC) Mitigation Action Requirement (MAR) notices;
checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or flaw remediation actions.

*Note Flaw Remediation Categorization

Known Exploited Vulnerabilities (KEVs) [by the due date listed in the catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)]

Vulnerabilities that have been exploited in the wild.

Critical (15 calendar days)

Zero-Day Vulnerability or SOC MAR

High (30 calendar days)

Something that breaks the security posture we have in place and allows someone to circumvent security boundaries.

Med (30 calendar days)

Any flaw that is discovered that that does not meet the high requirements but should probably be fixed sooner rather than later. Engineer discretion.

Low (60 calendar days)

Any flaw that is not impactful in any way.

All timelines for remediation are listed in SI-02 of the Science Cloud System Security Plan (SSP).

Procedures

Science Cloud utilizes AWS Systems Manager (SSM) to perform maintenance and flaw remediation tasks.

Science Cloud tracks maintenance and flaw remediation tasks in Jira and Confluence.

Tenants are encouraged to utilize SSM to perform tasks.

Both Science Cloud and Tenants will document maintenance and flaw remediation activities with the following information at a minimum:

Date(s) of Task
Type: Patch, Upgrade, Configuration Change
Activity Description
Affected Server(s), System(s), Application(s) and/or Database(s)
Task Performed By
Was Task Successful?
Failure Notes if any and what rollback procedures were followed.

Both Science Cloud and Tenants will retain maintenance logs in accordance with records retention requirements defined by NASA, which is a minimum of 1 year for retention.