866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

The FedRAMP Readiness Assessment Report (RAR) Requirements for CSPs Blog Feature
Matt Hungate

By: Matt Hungate

Print/Save as PDF

The FedRAMP Readiness Assessment Report (RAR) Requirements for CSPs

FedRAMP | Federal Assessments

Published: Mar 3, 2022

Last Updated: Jun 3, 2025

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government initiative that standardizes the security assessment and authorization process for cloud products and services used by federal agencies. Part of this process requires cloud service providers (CSPs) to complete a FedRAMP Readiness Assessment Report (RAR), which is used to determine whether they are prepared to undergo full FedRAMP authorization.  

As a Third-Party Assessment Organization (3PAO) who regularly helps organizations gain FedRAMP authorization, we previously wrote about FedRAMP Ready, covering what it is, who should get a RAR, and how it can help you. Now, we want to answer what you’re required to do to actually become FedRAMP Ready. 

In this article, we will break down some of the requirements you must satisfy during your Ready Assessment—something you must do to receive the formal designation of Ready status on the FedRAMP Marketplace. While the FedRAMP Program Management Office (PMO) has high expectations for a RAR, reading this article will help simplify the preparation for your cloud service offering (CSO) ahead of your assessment. 

What are the FedRAMP Readiness Assessment Report Requirements? 

Let's establish this first: the Ready Assessment is not intended to cover the entire FedRAMP control baseline. That said, it’s still going to require considerable preparation to meet the many control requirements. Even at this early stage, your 3PAO will be thoroughly documenting your CSO’s capabilities. 

So that you don’t go into your assessment underestimating what you need to prepare, ensure your CSO meets the following requirements, at a minimum: 

  • Your CSO must be fully operational before the start of the assessment. While you are not required to have active customers within your environment, the PMO defines fully operational as “the architectural components of the system are all in place and operating as required, and the technical controls are implemented.” 

  • Your CSO must have a comprehensive authorization boundary diagram and supporting data flow diagrams. Accurate and detailed diagrams are a critical component to the PMO’s review of a RAR, so ensure your diagrams are up to their standards. 

  • Your CSO must be compliant with the six federal mandates outlined within the FedRAMP RAR templates. That means your CSO must feature the following things: 
    • Implementation of FIPS 140-2 validated cryptographic modules for all data-at-rest and data-in-transit that includes all external and internal data flows. 
    • Compliance with Digital Identity Level 2 or 3, depending on your intended FedRAMP impact level (i.e., Moderate or High). It’d be difficult to disseminate what are dense requirements here, but in summary, your 3PAO will evaluate your CSP’s: 
      • Identity proofing process 
      • Authentication methods
      • Any federation implementations against the specific requirements outlined within the corresponding Level. For more details, you can review NIST Special Publication 800-63A
    •  Compliance with the SC-20, SC-21, and SC-22 NIST security controls and FedRAMP parameters. That includes the implementation of DNS Security (DNSSEC) on your external/authoritative DNS servers as well as on the internal recursive/caching resolvers. You also need to ensure fault tolerance and role separation are in place for those external/authoritative DNS servers. 

To note, this federal mandate tends to present challenges for many CSPs as there are some additional nuances expected to be in place beyond the summary provided above. Discussions about DNSSEC with your 3PAO early in the assessment process will be critical. 

  • The ability to consistently remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days. To demonstrate this during the Ready Assessment, you will provide multiple months of vulnerability scans for your CSO’s operating systems, containers, databases, and web applications where applicable. 

  • The capability to support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials. To meet this, you may have your CSO support SAML 2.0 and require agency customers to integrate access with an identity provider of their choice. 

  • An adherence to the Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements. 

  • Your CSO must disclose all system interconnections as well as external and corporate systems used to support the CSO. This includes: 
    • All third-party cloud-based systems
    • Corporate systems owned/managed by the CSP
    • Any public or custom API sets that allow data to flow to/from the system

At a minimum, the PMO will want to understand the interconnection details, data types, and, most importantly, whether the system or service possesses an existing FedRAMP Authorization. 

*Historically, the FedRAMP PMO will not consider a CSP for a FedRAMP Ready designation under most circumstances if the CSO leverages external systems or services that are not FedRAMP Authorized at the same impact level.   

  • Your CSO must not have any major technical gaps between your CSP’s implemented technical controls and FedRAMP requirements. In other words, your CSO should meet the majority of the capabilities outlined within Section 4 of the RAR. Your 3PAO will evaluate how your CSO meets these capabilities as well as the Federal Mandates mentioned above, and they include the following: 
    • Identification, Authentication, and Access Control 
    • Audit, Alerting, Malware, and Incident Response 
    • Contingency Planning and Disaster Recovery 
    • Configuration and Risk Management 
    • Data Center Security 
    • Change Management 
    • Continuous Monitoring  

Key Considerations to Get FedRAMP Ready 

Though what we’ve listed may appear extensive, the requirements we mention here are not meant to be all-inclusive—in fact, your Ready Assessment will absolutely consist of more. 

However, the above is meant to provide you with a critical priority list as you prepare for your Ready Assessment. Now, you understand a summary of items that, if not met as part of your Ready Assessment, would be considered a derailment by the PMO. By this, we mean that your Ready process would be paused because the PMO has instructed us 3PAOs to not submit any RARs for PMO review unless these very items are met by the CSO. 

As you continue to prepare to become FedRAMP Ready, make sure to read our article on the phases to a FedRAMP Ready Assessment. There, you’ll find insight into how the actual process works, which will help you set more specific conditions for your experience. 

While FedRAMP Ready provides no guarantee of Authorization down the line, it can help your organization enter the lucrative FedRAMP marketplace. If you find you have further questions regarding the specifics, please contact us. We’d be happy to have a conversation that lends the 3PAO perspective to answering any concerns you may have. 

In the meantime, discover other helpful FedRAMP insights in these additional resources:   

About Matt Hungate

Matt Hungate is a Principal with Schellman based in Richmond, VA. Matt specializes in Federal Assessments at Schellman, including compliance with standards such as FedRAMP, NIST, ITAR, and CJIS. Prior to joining Schellman in 2019, Matt worked as a Cybersecurity Consultant for a large advisory firm where he specialized in strategy and assessment services for NIST 800-53 and FedRAMP. Matt also led and supported various other projects, including the development of an enterprise wide cybersecurity strategy and cloud transition plan for a large federal agency. Matt has experience comprised of serving clients in both the private and public sectors, and his credentials include the CISSP, CISA, and CPA.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.