Effective November 2019, the Postal Service™ revised Handbook AS-805-H, Cloud Security, to update policy and procedure with regard to cloud providers.
Handbook AS-805-H, Cloud Security
* * * * *
6 Cloud Technology Security Requirements
* * * * *
6-1 Cloud Providers and Security
[Revise the text of 6-1 to read as follows:]
The following must apply to cloud providers:
a. A FedRAMP Authorization to operate is mandatory for Postal Service Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud deployments and service models at the low-, moderate-, and high-impact levels, as determined by CISO.
The Postal Service does not participate in the FedRAMP Initial (Sponsored) Authority to Operate process and does not offer sponsorship.
While the Postal Service does not require a FedRAMP Authorization for Software as a Service (SaaS) environments, FedRAMP Authorization is required on the foundational layer/hosting environment, also referred to as the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Notwithstanding an entity’s FedRAMP Authorization status, the Postal Service has its own internal Certification and Accreditation (C&A) processes and policies for all systems, which are in accordance with Handbook AS-805, Information Security and Handbook AS-805-H, Cloud Security. Accordingly, the Postal Service must certify and accredit all cloud solutions for use by the Postal Service regardless of FedRAMP Authorization status. The Postal Service may consider potential suppliers’ FedRAMP Packages in its certification and accreditation process.
All cloud solutions must demonstrate the ability to meet USPS security requirements.
b. Cloud providers must comply with FISMA Moderate and/or High Authorization and Accreditation security controls and processes.
c. Cloud providers must comply with the current version of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Information Supplement: PCI DSS Cloud Computing Guidelines if that functionality is provided within a Private Cloud.
* * * * *
8 Legal, Privacy, and Information Security Contract Requirements
* * * * *
8-2 Legal Requirements
[Delete item a. and renumber current items b. through r. as items a. through q.]
* * * * *
8-4 Information Security Contract Requirements
[Revise the introduction and first two sets of bullets of 8-4 to read as follows:]
The contract must address the Assessment and Authorization (A&A) Package requirements for a SaaS Non-FedRAMP Authorized Cloud. That this requirement is specifically for a SaaS environment that is not FedRAMP Authorized. If the SaaS is FedRAMP Authorized, then we collect the below documents from the Max.gov website.
The Cloud Service Provider (CSP) must provide at a minimum the following A&A documents:
a. FedRAMP ID of the IaaS hosting environment.
b. System Security Plan (SSP).
c. Control Implementation Summary (CIS).
d. Plan of Action and Milestone (POA&M).
e. Incident Response Plan (IRP).
(1) The SaaS CSP will inherit this from the IaaS hosting environment but should also have its own IRP to cover the investigation of the SaaS.
(2) Configuration Management Plan (CMP).
f. Contingency Plan (CP).
g. The SaaS CSP will inherit this from the IaaS hosting environment but should also have its own CP to cover the recovery of the SaaS.
h. Inventory.
i. Software list.
j. Penetration Testing Report web-facing applications.
k. Vulnerability Scan Report.
i. Privacy Impact Analysis (PIA)/Privacy Threshold Assessment (PTA).
For references to FedRAMP and related security controls, visit the following sites:
a. FedRAMP Resources: fedramp.gov/.
b. Documents: fedramp.gov/documents/.
c. Templates: fedramp.gov/templates/.
d. NIST Publications: fedramp.gov/nist-publications/.***
* * * * *
Revised Handbook AS-805-H is available on the Postal Service PolicyNet website:
n Go to blue.usps.gov.
n In the left-hand column, click Essential Links, and then click PolicyNet.
n Go to the right-hand side under “Published Forms and Directives.”
n Click Handbooks.
The direct URL for the Postal Service PolicyNet website is blue.usps.gov/cpim.
— Policy, Quality, and Compliance,
Chief Information Security Officer
and Digital Solutions, 11-21-19