make a good business better

Blog Information Security

Print Divider Print Divider Branding

Understanding the Role of FedRAMP Readiness Assessment

08/12/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

A car must be serviced and maintained regularly if it is to operate efficiently and pass required inspections. The Federal Risk and Authorization Management Program (FedRAMP) accreditation process is no different.

The purpose of the FedRAMP readiness assessment is to determine a Cloud Service Provider’s (CSP’s) likelihood of successfully completing the FedRAMP certification process and receiving their Authorization to Operate, (ATO) in a timely manner. The work done in this phase will determine how smoothly and expeditiously your FedRAMP certification application gets approved.

CSPs hoping to provide services to federal agencies will need to use the baseline controls listed within the FedRAMP requirements. A CSP must use an accredited Third Party Assessment Organization, or 3PAO, to certify that they meet the minimum FedRAMP requirements.

Overview of The Readiness Assessment, Testing, and Reporting Phases:

Phase 1: Prerequisites and the Security Assessment Plan (SAP) Development

Companies that choose to have a 3PAO help them through assessment will be given a list of required documents that need to be available before the assessment process can begin.

Ideally, all system security, configuration management, incident response, and contingency plans should already be in place and consistently reviewed and enforced. Ongoing training in controls and policies should be present and proven. These benchmarks should be implemented long before the readiness assessment begins.

The overall process is not difficult if you’re working with a FedRAMP 3PAO well versed in FISMA and NIST controls — and one who is familiar with the language and context behind the requirements. It’s true, the requirements can be confusing. However, a good 3PAO will decipher what the requirements mean for you, anticipate any glitches, and provide guidance for what the FedRAMP PMO expects.

The 3PAO you choose will also direct what documentation is needed, where procedures can be tightened, and the best method and order to do so. They’ll help you avoid oversights, incomplete documentation, and flag misuses of resources.

It’s a good idea to review your security policies and processes holistically within the context of the assessment. Organizations need to understand first, what their risks are, and rank the probability of occurrence.

The next step is identifying where the gaps are and how they can be filled — including risk rating, cost, and time to complete. Once you’ve properly addressed the gaps, you’ll be better prepared for the real assessment.

Phase 2: Execute CSP Testing Procedures

Prior to arriving on site, the 3PAO will review your documentation. The 3PAO will then work with your company to develop the Security Assessment Plan, or SAP. Then, your 3PAO will conduct comprehensive interviews with the relevant personnel specified for each area of the testing procedure. During the interviews, the 3PAO will record your methods and processes as well as how you have implemented each control in a comprehensive report that is provided to the FedRAMP PMO.

The next step in this phase is on-site and off-site testing for each section of the test cases outlined in the draft SAP. Vulnerability scanning and penetration are a part of the test cycle and are integrated into this phase of the assessment.

Phase 3: Risk Analysis and Security Assessment Report (SAR) Development

The 3PAO will complete an overall SAR risk exposure table. From there, they will update the SAR, adding in the test results and the risk exposure data. They will then review the final draft of the SAR with your company to ensure accuracy.  

The 3PAO assessment team will package up all of the documentation created as part of the assessment and if all information is complete, the assessor will make arrangements to submit the SAR and all other required documentation to the FedRAMP Authorizing Officer (AO) for approval.

The SAR will be a detailed report, outlining applicable and compliant security controls as well as those that are either irrelevant or non-compliant. This report is a very important deliverable since federal agencies use this document to quickly assess whether your organization is compliant with the required controls that are unique to their individual agency. If your company is not compliant with those specific controls, then your organization will be eliminated as a potential government CSP partner for that agency.

The assessment process can seem intimidating. At LBMC our approach is to ensure your organization understands the compliance requirements, the process, required artifacts, assessment preparation and continuous monitoring requirements. We identify potential deficiencies or lack of controls that could result in a failure to comply with FedRAMP and National Institute of Standards and Technology (NIST)  requirements. Next, we provide a readiness gap analysis that identifies potential areas of non-compliance and finally we recommend solutions and processes to meet the FedRAMP requirements prior to completing a security assessment. We think you’ll find that partnering with the right 3PAO can make all the difference — and ensure a smoother path to FedRAMP accreditation.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP