Form Version 1.0 – January 31, 2018
D
eviation Request Form Page 3 of 6
F
edRAMP Deviation Request Form
A
dditional Information: Risk Reduction
(C
omplete this section if you are submitting a risk reduction or a risk reduced operational requirement DR.)
Complete all fields below. Include references to the System Security Plan as applicable
T
o complete the fields in this section, use the CVSS Environmental Score Metrics definitions found here:
ht
tps://nvd.nist.gov/vuln-metrics
A
ttack Vector
Choose an item.
D
escribe whether local
access, physical access, or
network access is required for
vulnerability exploitation.
Describe how, based on the
CSP’s implemented security
model, the necessary access
is reduced or not available.
A
ttack Complexity
Choose an item.
L
ow attack complexity means
that an attacker can exploit
the vulnerability at any time,
at all times. High attack
complexity means that a
successful attack depends on
conditions outside of the
attacker’s control.
P
rivileges Required
Choose an item.
N
o privileges required can be
exploited by an unauthorized
user. Low privileges require a
normal authenticated user to
exploit the vulnerability. High
privileges require an
Administrator or System level
authenticated user to exploit
the vulnerability.
Describe any security controls
that prevent or reduce the
likelihood of a vulnerability
exploitation attempt having
the required privileges on the
system.
Delete prior to submission: For example, a vulnerability may require adjacent network access (as
determined by following the decision tree above) for exploitation and the vulnerability was discovered
on a management network. The management network may be restricted to three administrators only,
who only connect via a jumphost via specific dedicated workstations. The management network is
only accessible via the jumphost and has no other connectivity to or from networks that are not
managed directly. The previous example explains why the level of network access necessary for
vulnerability exploitation is reduced or not available based on the CSP’s implemented design since the
vulnerable machines cannot be accessed via the network directly.
Delete prior to submission: For example, normally a vulnerability may be exploitable 100% of the time
which would be Low attack complexity. However, in the CSP’s environment, you have implemented
security controls which add conditions outside of the attacker’s control such as containerized or
sandboxed applications or mandatory access controls.
Delete prior to submission: For example, if the vulnerability requires Low privileges, however only
Administrators can access the vulnerable systems, then the likelihood of exploitation is reduced since
there are no non-trusted users on the system(s). If the vulnerability does not require privileges and
the CSP has limited access to the system to only specific hosts, which reduces the likelihood of
exploitation.