Tenant Responsibilities

Even though MCaaS platform offers many security tools and features that a tenant application can inherit, there are still some essential tasks to be performed by the tenant/application team. Formal set of tenant security responsibilities will be based on MCaaS’s Customer Responsibility Statements.

Please work with your ISSO/ISSM to ensure you have the latest copy of MCaaS CRM statement. MCaaS tenants are responsible for writing SSP and addressing CRM controls from MCaaS, and other shared services, SaaS tools etc. consumed by the application.

Below are a list of key tenant responsibilities:

• Vulnerability Management in application container images

• Vulnerability Management in dependencies, libraries and open source code/components

• Vulnerability Management of any COTS and open source tools running on containers

• Selection of well maintained and supported codes, components and libraries

• Data Encryption at Rest

  • All data should be encrypted at rest. If your application has PCI/PII data it needs to be encrypted at field/column level using application encryption. Any flat files such as pdf or jpeg containing PCI or PII needs to be encrypted before storing in S3 or EFS
  • This is a show stopper control and generally requires a lot of re-work in application code. If you need any clarification , please reachout to the OCISO DevSecOps team.

• Data Encryption in transit

  • All connection, integration or API call requires encrypted connection. Encrypt everything everywhere.

• Multi-Factor Authentication

  • Application level authentication is application team responsibility. Ensure your application has MFA. GSA SecureAuth , OKTA, login.gov, Max.gov are some commonly used solutions.

• Static Code Analysis (Application Code)

  • Static Code Analysis of application code.

• Public URL Scanning

  • You will be required to ensure scanning your URL using SecOps Netsparker, when the URL becomes available.