FAS Cloud Services IT Security Metrics
Learn about the different types of Core FCS security metrics that are collected, reported and monitored. FCS Tenants may find it useful gaining familiarity with these metrics to meet FCS reporting requirements.
CORE FCS Security Metrics
FCS security Tenants are to observe the following key metrics and report them to their respective FCS security representatives. All metrics listed here are required for the applicable FCS service areas, any deviation must be reported to FCS for resolution.
Applicable service areas for all sections below: EBTA, CaaS, MCaaS, Common Components, Data, VPCaaS
1. FCS Asset Metrics
To be monitored and reported to FCS security personnel on a weekly basis:
-
FCS Core running assets
-
Number of running hosts
-
FCS Scan coverage
-
FCS Core SSM Association Status
-
FCS All SSM Association Status
2. FCS Security Risk Metrics (from Scans)
Observes risks reported from FCS operational scans by Severity, Compliance status and impacted AWS accounts:
Critical vulnerabilities must be remediated within 15 calendar days of initial detection
High vulnerabilities must be remediated within 30 calendar days of initial detection
-
Risk by Severity : Tracking Low, Medium, High, Critical and Zero Days
-
Risk by Compliance status : This metric tracks configuration settings based on CIS Level 3 Benchmarks and Security Technical Implementation Guidelines (STIG)
-
Risk by AWS Account : Via PRISMA cloud compliance report
3. FCS Remediation Metrics
Observes the extent at which vulnerabilities are being remediated in a timely manner based on the following timelines:
-
Time (Days) to remediate Critical vulnerabilities: 15 Calendar Days
-
Time (Days) to remediate BOD 22-01 vulnerabilities: 15 Calendar Days
-
Total Known Exploitable Vulnerability (KEV) vulnerabilities: 15 Calendar Days
-
Time (Days) to remediate High vulnerabilities: 30 Calendar Days
-
Time (Days) to remediate Medium vulnerabilities: 90 Calendar Days
-
Time (Days) to remediate Low vulnerabilities: 120 Calendar Days
4. FCS Vulnerability Instance Decrease Metrics
Observes the reduction of vulnerabilities by instance and FCS timelines.
-
Total Critical vulnerabilities decrease (by instance): Must achieve zero (0) outstanding Critical vulnerabilities over 15 Days
-
Total BOD 22-01 vulnerabilities decrease (by instance): Must achieve zero (0) outstanding Critical vulnerabilities over 15 Days
-
Total Known Exploitable vulnerability (KEV) vulnerabilities decrease (by instance): Must achieve zero (0) outstanding Critical vulnerabilities over 15 Days
-
Total High vulnerabilities decreased (by instance): Must achieve zero (0) outstanding Critical vulnerabilities over 30 Days
-
Total Medium vulnerabilities decreased (by instance): Must achieve zero (0) outstanding Critical vulnerabilities over 90 Days
-
Total Low vulnerabilities decreased (by instance): Must achieve zero (0) outstanding Critical vulnerabilities over 120 Days
5. System Security Testing and Evaluation (SST&E) Metrics
Gathers insight from the output/results of the following Tenant self assessments:
-
Clean host infrastructure and web scan (no Critical. High, Medium Vulnerabilities.)
-
CIS Level 3 STIG Security configuration assessment report with an overall score of 80% or better.
-
Clean PRISMA cloud compliance report (0 Resource Failures)
6. System Test and Evaluation (ST&E) Metrics
Gathers insight from the output/results of the following Tenant self assessments.
-
Conduct formal automated regression testing on AMI to verify sustainability of operations and functionality of changes.
-
Achieve passing AMI report prior to deployment