866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What are Schellman's FedRAMP Capabilities? Blog Feature
Andy Rogers

By: Andy Rogers

Print/Save as PDF

What are Schellman's FedRAMP Capabilities?

FedRAMP | Federal Assessments

Published: Aug 24, 2022

Last Updated: Dec 11, 2025

If you’re a cloud service provider (CSP) seeking FedRAMP Authority to Operate (ATO), you may be wondering if Schellman is the right compliance firm to partner with.

In this article, we'll cover what sets Schellman apart from your other Third Party Assessment Organization (3PAO) options and what we can offer you within the FedRAMP Program. After reading this, you’ll know three key things you can expect of Schellman on your road to ATO.

What is FedRAMP?

For the sake of thoroughness, let’s establish what you need first. FedRAMP was created by the federal government to provide CSPs with a means to provide services to the federal government while reducing the risk taken on by the government.

CSPs can achieve these means by having their security posture, data processing, and data residence assessed by an approved 3PAO, like Schellman.

What Will You Get with Schellman’s Team?

Schellman was founded in 2002 as providers of SAS 70 audits—the predecessor to SOC—and have since grown dramatically, adding complementary services over the years. We currently offer clients over 30+ different assessment services, including other federal compliance offerings such as CMMC 2.0, NIST 800-171, NIST 800-53, RMF, FISMA, ITAR, and CJIS assessments.

As the #1 provider of FedRAMP assessment services per the FedRAMP Marketplace, partnering with Schellman presents organizations with a unique opportunity given our ability to deliver multiple compliance assessment services as a single provider. If you were to need multiple compliance assessments or cybersecurity services, we would provide an integrated project team and methodology to streamline achieving the various objectives.

But if it’s just FedRAMP you’re after, that’s okay too—we have a team of highly specialized assessors that actively engages with the FedRAMP Program Management Office (PMO), Defense Information System Agency (DISA), and the CMMC Cyber Accreditation Body (The Cyber AB) regularly as part of our assessment activities and at their request to provide ideas for methodology and program refinement.

You’re also likely wondering about our penetration test team. Though pen tests have been a required part of the FedRAMP assessment for a while, after the release of NIST 800-53 Rev 5, red team exercises are also now required. Our team is capable of performing both, and while you can read more about their qualifications in our article here, at the very least know that they all have their Offensive Security Certified Professional certification and several years of penetration testing and technical experience.

Schellman’s FedRAMP Capabilities

 

1. We Are Solely Focused on FedRAMP Assessment Services (Type A 3PAO).

One of the most important things to understand going into your search for the right 3PAO is that many firms do offer both assessment and advisory services. Because the process to achieve a FedRAMP ATO is very high stakes, it’s often recommended that organizations engage a consultant to advise them—just know that if you do, you cannot use that same firm to perform your FedRAMP assessment.

Unlike firms that do provide both, Schellman performs assessments exclusively, though we do want to help you to find the right advisory partner

From a technical compliance perspective, FedRAMP is one of the higher bars to meet. As such, you’re going to need experienced IT and security engineers that are familiar with technical compliance—preferably ones that have actual experience with FedRAMP—to either:

  • Help ensure that your existing environment can meet FedRAMP requirements; or
  • Help you build a new environment that meets FedRAMP requirements.

You might already have this experience internally, but if not, an advisory firm that is accustomed to building infrastructure with a defense-in-depth approach could help you immensely.

But your build-out isn’t the only critical thing in your pursuit of FedRAMP—you do, of course, need to get through an assessment and ensure it’s as thorough as possible to avoid any hiccups with the FedRAMP PMO and/or DISA. In working with Schellman for this phase, you can be sure of two things:

  • That our team of qualified assessors will be the absolute best team we have to offer; and
  • They will be completely focused on ensuring your FedRAMP assessment more than satisfies the PMO and/or DISA.

2. We Can Handle Any FedRAMP Assessment You Need.

Depending on where you are in your FedRAMP journey and what you need—as well as what approach you’re taking to authorization—you may need different types of assessment(s), and Schellman can help you with a number of those:

Assessment Type

Details

Readiness Assessments Reports (RAR)
  • Though these are not requisite ahead of agency-sponsored security assessments, if you’re going the Joint Advisory Board (JAB) route you must undergo one of these (in addition to the full security assessment that follows).
  • Despite it not being a formal requirement for those with agency sponsorship, some CSPs still opt to do these to help gauge their ability to successfully complete a full security assessment.
  • In our experience, organizations that have developed their environments but aren’t leveraging an advisor or those without an agency sponsor commonly complete a RAR.

Security Assessments
  • These are the primary FedRAMP assessments, and there are two types:
    • The initial: Includes all the controls within your risk categorization
    • The annual: Performed after the initial and every year following—about two-thirds of the controls within your risk categorization will be assessed during these.
*Both the initial and the annual require penetration testing as well as a red team assessment, so it will be important to make sure you understand the differences between both necessary exercises.
  • Much about these depends on the risk categorization of your environment—the category you fall into will determine the breadth of your assessment as well as the prescriptiveness of each control (the higher the risk rating, the more controls and, often, the higher the control parameter).

Schellman can handle any assessment, no matter the risk category, but what can you expect from each?

Risk Category

Details

Low Risk
  • Number of base controls: 156
  • Sometimes referred to as Li-SaaS assessments, these can be tailored—depending on your sponsoring agency’s risk tolerance, they may add additional controls that must be implemented. Not only that, but they may also add prescriptiveness to the base controls.

Moderate Risk
  • Number of base controls: 323
  • This is the most common security assessment we see as 3PAOs.
  • Because of the sheer number of base controls, oftentimes these won’t necessitate any additional tailoring or controls from your agency.
  • (There are exceptions, the most common of which are assessments performed in support of seeking authorization from a Department of Defense (DoD) agency).

High Risk
  • Number of base controls: 410
  • These are the second most common type and there’s the same caveat that your agency may require additional controls.

3. We’re Nimble with the Ability to Adapt.

If you’re looking for that extra layer of comfort in your 3PAO’s capabilities—or your agency asks you to take the controls being assessed a step further—you might need your 3PAO to be able to pivot to accommodate control overlays. You and your agency may require specific additional requirements that can include privacy, ITAR, or FISMA controls, and that’d be no problem for our team given the depth of our experience and resources.

In other cases, you may also need to have impact level (IL)4, IL5, or even IL6 controls assessed, which we are now authorized to do. Even though these are DoD controls prescribed by DISA, you can have them assessed in tandem with your FedRAMP High or Moderate environment.

Our FedRAMP team is practiced in reviewing the documentation for the legal and privacy ramifications and the relevant controls that come into play here, and—as we mentioned before—we’re very familiar with DISA as well. We feel confident that we can handle any unique assessment details that you may need.

Next Steps for Finding Your FedRAMP 3PAO

Schellman’s established footprint within the FedRAMP Marketplace does indicate some of our capabilities, but to learn more details about our offerings and how we can help you, please reach out to us so that we can schedule a conversation to discuss a possible partnership.

In the meantime, check out our other content regarding FedRAMP that can help you further prepare for this process:

About Andy Rogers

Andy Rogers is a Lead Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 20 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.