FedRAMP Prepare

Plan

Buyer Requirements

  • Seeking a FedRAMP advisory with proven effectiveness in achieving P-ATO, Agency ATO, and FedRAMP Tailored authorizations
  • Generally familiar with FedRAMP and are committed to achieving FedRAMP authorization
  • Will be ready within 3-4 week to begin addressing gaps (either through internal teams or with an advisor)
  • Uncertain if FedRAMP is even appropriate and need a cost estimate? Buy our Quick-Assess service.

Objective

  • Assess the current status of the FedRAMP program and control capabilities, identify all material gaps in the system boundary and provide a roadmap for moving forward

Deliverables

  • Issues with the proposed system boundary and out-of-boundary servicesRating of alignment with respect to FedRAMP CSFs
  • Rating of achievement of key security capabilities
  • Listing of control gaps related to key security capabilities
  • Rating of overall “readiness” status
  • High-level roadmap for moving forward
  • Slides for management briefing
  • Boundary gaps (including use of non-FedRAMPed external and corporate services)
  • Control gaps for all in-scope controls with suggested remediation actions
  • Control implementation descriptions (for SSP) for controls that are currently implemented

Details

  • Perform interviews of system SMEs, review system documentation, and (as needed for clarity) inspect other system information
  • Review the current state of the FedRAMP program and target dates
  • Assess the make-up and knowledge of the FedRAMP project team (e.g., NIST controls)
  • Assess the proposed system boundary and use of out-of-boundary services
  • Understand government clients and the potential authorization path
  • Explore leveraging of FedRAMP PaaS/IaaS
  • Assess against FedRAMP critical success factors (CSFs)
  • Assess the system’s capabilities against critical key and showstopper security controls (per the RAR template)
  • Spot-check current system/process documentation against FedRAMP required templates inspect configs and artifacts
  • Validate the system boundary for completeness/accuracy
  • Inspect configs and artifacts
  • Review every control requirement with technical teams
  • Assess all technical controls at all layers of the stack and all control processes (e.g., awareness and training, etc.)
  • Document control implementation statements that describe how controls are implemented
  • Refine, revise, or re-design controls and processes to meet requirements
  • Identify gaps in the design and implementation of controls
  • Discuss alternative solutions for gaps and collaborate to determine “best” fit recommendations
  • Recommend solutions for missing capabilities
  • Option: Perform pen testing of web app
  • Option: Quick Assessment for companies that want more background before committing to FedRAMP

Remediate & Document

Buyer Requirements

  • Already know their gaps (e.g., “what” is missing) but need help figuring out the best solutions (e.g., “how” to address the requirements)
  • Need a SME resource available for “as needed” consultation
  • Need help implementing controls or preparing required documentation
  • Seeking an advisor who is experienced in leveraging the advantages of using pre-authorized platforms and services

Objective:

  • Guide and support IT engineering efforts to remediate FedRAMP gaps and prepare a complete FedRAMP documentation package that meets all PMO, Agency and 3PAO requirements

Deliverables:

  • Detailed control implementation descriptions (for SSP) for controls that are newly implemented
  • Complete FedRAMP package ready for review by AO and 3PAO assessor
  • System Security Plan (system components and boundaries, data flow, system interconnections, and control implementations)
  • Configuration Management Plan, Incident Response Plan, Contingency Plan, and other required attachments
  • Initial POA&M
  • Policies and Procedures
  • Continuous Monitoring Plan

Details

  • Provide real-time direction and guidance during the remediation engineering phase as new controls and toolsets are implemented
  • Provide input and direction as questions arise while new tools and processes are deployed
  • Collaborate with the engineering team as needed to ensure that FedRAMP control requirements are addressed
  • Validate adequacy of technical implementations of new/fixed controls
  • Leverage existing documentation and interview personnel for required information, and create a complete CSP documentation package for FedRAMP
  • Evaluate all available documentation to determine what can be leveraged for FedRAMP
  • Review existing “plans” (contingency, incident response, config mgmt., etc.) to determine what can be leveraged
  • Document or revise SSP and required attachments (including “plans”)
  • Collaborate with client personnel to ensure system diagrams and data flows for the SSP are correct
  • Modify control implementation statements as needed to correctly describe controls and reflect all remediation activities
  • Document initial POA&M for control gaps and vulnerabilities
  • Create continuous monitoring plan
  • Optional: Provide hands-on implementation of tools and security engineering