FedRAMP Prepare
Plan
Buyer Requirements
- Seeking a FedRAMP advisory with proven effectiveness in achieving P-ATO, Agency ATO, and FedRAMP Tailored authorizations
- Generally familiar with FedRAMP and are committed to achieving FedRAMP authorization
- Will be ready within 3-4 week to begin addressing gaps (either through internal teams or with an advisor)
- Uncertain if FedRAMP is even appropriate and need a cost estimate? Buy our Quick-Assess service.
Objective
- Assess the current status of the FedRAMP program and control capabilities, identify all material gaps in the system boundary and provide a roadmap for moving forward
Deliverables
- Issues with the proposed system boundary and out-of-boundary servicesRating of alignment with respect to FedRAMP CSFs
- Rating of achievement of key security capabilities
- Listing of control gaps related to key security capabilities
- Rating of overall “readiness” status
- High-level roadmap for moving forward
- Slides for management briefing
- Boundary gaps (including use of non-FedRAMPed external and corporate services)
- Control gaps for all in-scope controls with suggested remediation actions
- Control implementation descriptions (for SSP) for controls that are currently implemented
Details
- Perform interviews of system SMEs, review system documentation, and (as needed for clarity) inspect other system information
- Review the current state of the FedRAMP program and target dates
- Assess the make-up and knowledge of the FedRAMP project team (e.g., NIST controls)
- Assess the proposed system boundary and use of out-of-boundary services
- Understand government clients and the potential authorization path
- Explore leveraging of FedRAMP PaaS/IaaS
- Assess against FedRAMP critical success factors (CSFs)
- Assess the system’s capabilities against critical key and showstopper security controls (per the RAR template)
- Spot-check current system/process documentation against FedRAMP required templates inspect configs and artifacts
- Validate the system boundary for completeness/accuracy
- Inspect configs and artifacts
- Review every control requirement with technical teams
- Assess all technical controls at all layers of the stack and all control processes (e.g., awareness and training, etc.)
- Document control implementation statements that describe how controls are implemented
- Refine, revise, or re-design controls and processes to meet requirements
- Identify gaps in the design and implementation of controls
- Discuss alternative solutions for gaps and collaborate to determine “best” fit recommendations
- Recommend solutions for missing capabilities
- Option: Perform pen testing of web app
- Option: Quick Assessment for companies that want more background before committing to FedRAMP
Remediate & Document
Buyer Requirements
- Already know their gaps (e.g., “what” is missing) but need help figuring out the best solutions (e.g., “how” to address the requirements)
- Need a SME resource available for “as needed” consultation
- Need help implementing controls or preparing required documentation
- Seeking an advisor who is experienced in leveraging the advantages of using pre-authorized platforms and services
Objective:
- Guide and support IT engineering efforts to remediate FedRAMP gaps and prepare a complete FedRAMP documentation package that meets all PMO, Agency and 3PAO requirements
Deliverables:
- Detailed control implementation descriptions (for SSP) for controls that are newly implemented
- Complete FedRAMP package ready for review by AO and 3PAO assessor
- System Security Plan (system components and boundaries, data flow, system interconnections, and control implementations)
- Configuration Management Plan, Incident Response Plan, Contingency Plan, and other required attachments
- Initial POA&M
- Policies and Procedures
- Continuous Monitoring Plan
Details
- Provide real-time direction and guidance during the remediation engineering phase as new controls and toolsets are implemented
- Provide input and direction as questions arise while new tools and processes are deployed
- Collaborate with the engineering team as needed to ensure that FedRAMP control requirements are addressed
- Validate adequacy of technical implementations of new/fixed controls
- Leverage existing documentation and interview personnel for required information, and create a complete CSP documentation package for FedRAMP
- Evaluate all available documentation to determine what can be leveraged for FedRAMP
- Review existing “plans” (contingency, incident response, config mgmt., etc.) to determine what can be leveraged
- Document or revise SSP and required attachments (including “plans”)
- Collaborate with client personnel to ensure system diagrams and data flows for the SSP are correct
- Modify control implementation statements as needed to correctly describe controls and reflect all remediation activities
- Document initial POA&M for control gaps and vulnerabilities
- Create continuous monitoring plan
- Optional: Provide hands-on implementation of tools and security engineering