make a good business better

Blog Information Security

Print Divider Print Divider Branding

A FedRAMP Security Controls Checklist: Where to Focus

09/16/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

Not every company has invested the time to adequately document their security controls — which is why it’s an area that can require additional work.

The security controls that are part of FedRAMP requirements are based on the National Institute of Standards and Technology (NIST) SP 800-53 Revision 4 catalog of controls.

Overall, the most common requirement that companies falter on is documentation. Quite often, documentation is incomplete or missing altogether, particularly if a company had moved through the process too hastily.

Below we’ll review what security controls you’ll need to adequately prepare for certification — as well as which security control families present the greatest challenges for most organizations.

We recommend that you pay particular attention to the following:

Strong Security Access Controls

Strong access controls are used for authenticating user access (including employee, 2nd and 3rd party vendor access) to FedRAMP or cloud-based data. Make sure your organization can identify the security controls that should be in place to ensure that access levels are appropriate for each individual. Define and document all identification and authentication processes.

Pay special attention to two-factor authentication since it is a requirement for FedRAMP certification. This control requires technical know-how as well as implementation support.

Planning and Governance Models

An area that commonly requires additional work is the development of your company’s formal governance models. Verify that a solid governance model is present for the environment and your security controls. Craft a security policy plan that addresses all these areas.

Ideally, upper management should take a lead role in documenting and enforcing all controls within an environment. Management is ultimately responsible for documenting, measuring, improving and following security planning best practices.

Clarity and Definition of Cloud Models

Outline a clear and concise model for your organization’s cloud procedures and policies, in accordance with your federal government work. Is your business Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS)? Document all data directional flows and protocols in order to satisfy the initial documentation requirements.

Management and Stakeholder Buy-In

It’s important to secure buy-in from all colleagues within your organization who will be responsible for providing the evidence and documentation needed to meet FedRAMP requirements. Take it a step further and enlist management buy-in to expedite the necessary internal support. Securing some dedicated resources is worth the investment to move the process along more quickly.

Security Awareness and Training Programs

A security policy will only be as effective as the training that supports it. To that end, be sure to establish and document your information security awareness and training program thoroughly. The level of training documentation is also important, so be sure to include the training methods, frequency and types of training provided.

Configuration Management

The configuration of information systems and their components have a direct impact on the security posture of your system as a whole. How those configurations are established, patched and maintained requires a disciplined, consistent approach in order to provide adequate security.

Your organization’s configuration management should support your continuous monitoring program. Make sure you have a documented process about how all FedRAMP systems are configured and that they are configured consistently.


Patch Management

Patch management is held to the same standards as configuration management. FedRAMP will want to know how long you’ve had a patch program, update frequency, and if patch management is well documented. This area is subject to its own challenges including finding maintenance windows for all the necessary patching, testing and deployment steps — all within the FedRAMP defined window for patch remediation

Business Continuity and Contingency Planning

Business continuity plans need to be implemented and documented. Ensuring that policies and procedures are well documented and consistently followed is the brass ring that organizations should go after.

Deliberate planning and foresight into potential problems will inform strong contingency process development. Your plan should maintain an acceptable level of security under normal operations but also consider data breach scenarios, including plans for recovery and reconstitution when recovering from a major disaster.

Incident Response

FedRAMP auditors will pay close attention to this particular area. Coordination of your incident response program in collaboration with your federal agency client is imperative. You will also need to incorporate incident response procedures and escalation list contacts into your response procedures as mandated by the FedRAMP guidelines.

Vulnerability Assessment Program

Your risk assessment plan should include vulnerability scans, application scans, and penetration testing. An external or internal vulnerability management team can help conduct risk assessments, detect any holes and forecast imminent threats. 

Continuous Monitoring

Organizations are now required to monitor their systems in real-time, shortening the period it takes to detect and neutralize data attacks. Continuous monitoring helps to identify changes in your security system as quickly as possible, fostering a more informed, risk-based decision-making process as well as pinpointing early threat detection. 

Many of the control areas discussed above have components that require continuous monitoring. Your 3PAO can provide additional assistance on setting up your continuous monitoring program and associated schedules. 

Audit and Accountability

Proper audit mechanisms should be in place including logging. FedRAMP requires specific logging procedures of system components. Logs must be available online for 90 days and up to a year offline. Additionally, there are explicit guidelines as to the type of data that needs to be logged — including administrator access, networks, firewalls, and more. 

We’ve now covered the most common control problem areas. Invest effort in addressing them and you will save your organization time during the certification process and avoid delays. 

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

Posted in: FedRAMP