What to Expect from a FedRAMP Moderate Assessment
If you’ve ever signed up for a race, you may have had a few options to choose from. Sometimes, there’s a 15k, a 10k, an 8k, and, of course, a 5k, which is generally the starting standard for amateur runners and/or walkers. Each option has a certain degree of difficulty, and all of them require intentional steps for completing the race successfully.
Like these races, FedRAMP also features different risk levels that require a different level of investment. And regardless of which distance (or risk level) you opt for, it would help to have a roadmap of expectations so that you can better allocate your resources.
If you’re considering or even have already settled on pursuing a FedRAMP Moderate Assessment, that’s exactly what we plan to present here.
As one of the most experienced Third-Party Assessment Organizations (3PAOs) in the Marketplace, we’ll explain what this baseline is, what goes into the specific process—including relevant important changes in NIST SP 800-53 Rev5 —and how to set your organization up for success.
This article will help you drill down beyond a basic understanding of the FedRAMP process to more of what you’re specifically getting into, thereby making this “race” at least a little bit easier for your organization.
What is the FedRAMP Moderate Baseline?
Let’s start with the basics. In total, FedRAMP has three security baselines that cloud service providers (CSPs) can choose to pursue and be assessed against—these are based on the Federal Information Processing Standard (FIPS) 199 guidelines for categorizing information and information systems.
For those interested in pursuing FedRAMP, you’ll categorize your Cloud Service Offering (CSO) to determine your impact level and use the established standards to evaluate your system to ensure it meets the minimum security requirements. FedRAMP is primarily concerned that federal vendors achieve three security objectives, abbreviated often as CIA:
- Confidentiality, or the restriction of information access and disclosure, including protection measures for personal privacy and proprietary information
- Integrity, or the protection of data against destruction or modification
- Availability, or the timely and reliable access to stored information
These objectives and the FIPS 199 impact categorizations for CIA all lead to a determination that corresponds to the aforementioned baselines. You’ll note that the number of controls required for each baseline increases with the greater impact to security:
|
Baseline |
Base Controls |
|---|---|
|
Low |
125* (May be lower for Li-SaaS Assessments) |
|
Moderate |
325* |
|
High |
421* |
*The FedRAMP Control Baselines for Rev 5 are still in review for publication – final numbers may change.
Of the three listed here, the most popular authorization option to date has proven to be at the Moderate Baseline, as the requirements align with many of the common security requirements needed by federal agencies.
When you select this baseline, what you’re basically saying is that the loss of CIA within your CSO would create a serious adverse effect on your organization and related parties. So, not a limited (low risk) nor a catastrophic effect (high risk), but still a major disruption to federal agencies and other users.
The Moderate Baseline already represents a big jump up from the requirements in the Low Category, but the new Revision 5 to NIST SP 800-53 will likely result in even more hurdles to leap, including the addition of a new control family and baseline controls as well as updates to requirements for many existing controls. (Note that FedRAMP currently still operates on NIST 800-53 R4.)
To be more specific, Revision 5 will likely expand the Moderate control catalog from 17 to 18 control families to go with the brand-new addition of Supply Chain Risk Management (SR) controls. There are also approximately 40 new controls and control enhancements, as well as updates to nearly 100 existing controls.
More than that though, the new revision also shifted the focus of many of the baseline control descriptions from assigning responsibility for a control—e.g., information system, organization—to a description that captures the desired results of the control.
Below is a breakdown of the NIST 800-53 Control Families as well as what to expect for your CSO’s System Security Plan (SSP) and control implementations at the Moderate Impact Level:
|
Control Family |
Overview of What Will Be Tested |
|---|---|
|
AC Access Control |
Administrative and technical controls regarding the onboarding of personnel and assigning corresponding privileges |
|
AT Security Awareness Training |
Security awareness program content, tracking, and retention |
|
AU Audit and Accountability |
Security Information and Event Manager (SIEM), log content, log management, alerting, and monitoring |
|
CA Security Assessment |
Penetration testing, continuous monitoring of the environment’s security posture, system interconnections, Plan of Actions and Milestones (POA&M), and overall program monitoring |
|
CM Configuration Management |
Baseline management, change management control process, inventory, baseline and configuration scanning, system hardening, and Configuration Management Plan (CMP) |
|
CP Contingency Planning |
Data and environment backup, recovery, availability, and contingency plans |
|
IA Identification and Authorization |
Identification and verification of personnel, password and authenticator management, Common Access Card (CAC) / Personal Identity Verification (PIV) multi-factor authentication (MFA) processes and mechanisms, etc. |
|
IR Incident Response |
Discovery, investigation, reporting, and tracking of incidents |
|
MA Maintenance |
Tracking and logging of maintenance |
|
MP Media Protection |
Management, storage, protection, and tracking of media |
|
PE Physical and Environmental Security |
Physical and environmental controls, access control and management of data centers, secure areas, server rooms, etc., as well as management and tracking of related personnel |
|
PL Security Planning |
System Security Plan (SSP), documentation of the system boundary and environment, architecture, network, and data flow diagrams |
|
PS Personnel Security |
Personnel management, including onboarding, termination, transfers |
|
RA Risk Assessments |
Risk assessment and designations, vulnerability scanning (and remediation) mechanisms and processes—infrastructure/OS scans, database scans, web application scans, and container scans. * NOTE: Revision 5 Moderate Baseline may include a new focus on Supply Chain Risk Assessments and threat hunting capabilities including monitoring, detection, tracking, and threat disruption. |
|
SA System and Services Acquisition |
SDLC processes and management, including static and dynamic code analysis, vendor management, external system interconnections, third-party risk, and supply chain management. |
|
SC System and Communications Protection |
Protection of external/internal data-in-transit, data-at-rest, internal/external encryption (FIPS 140-2 cryptography), Public Key Infrastructure (PKI), implementing subnets, and boundary protection mechanisms. * NOTE: Rev 5 may introduce new privacy requirements SC-7(24) |
|
SI Systems and Information Integrity |
Information system monitoring, verification of the functionality and security of the system, including flaw remediation, file integrity monitoring, antivirus, spam protection, etc. * NOTE: Rev 5 may introduce new privacy requirements SI-18 and SI-19 |
|
New Control Families Defined in NIST 800-53 Rev 5 |
|
|
PM Program Management |
Overall security program activities and metrics * NOTE: These controls are not currently being assessed by 3PAOs under the Rev 4 Moderate Baseline. These Controls are addressed separately and may not be represented in the updated Rev 5 Moderate Baseline. |
|
PT Personally Identifiable Information Processing and Transparency |
Addresses privacy when collecting, storing, handling, processing, notifying of use of, and destroying (when no longer needed) personnel’s Personally Identifiable Information (PII). * NOTE: These controls are not currently being assessed by 3PAOs under the Rev 4 Moderate Baseline. This is a new Control Family and may not be represented in the Rev 5 Moderate Baseline. |
|
SR Supply Chain Risk Management |
Supply chain risk management plan documenting all the planned execution of these security requirements. * NOTE: These controls are not currently being assessed by 3PAOs under Rev 4 Moderate Baseline. This new Control Family will likely be represented in the updated Rev 5 Moderate Baseline. |
What is the FedRAMP Moderate Assessment Process?
When you opt for an assessment at the Moderate Baseline, the assessment is typically broken out into two stages.
Stage 1
First, you’ll conduct planning and preparation activities, working alongside your 3PAO to complete the Security Assessment Plan (SAP) that will:
- Document the scope of manual controls testing and penetration testing (including a review of the );
- Identify the controls to be assessed; and
- Detail the sampling methodology to be used by the 3PAO during the assessment.
Stage 2
After that, the bulk of testing activities that ultimately result in the Security Assessment Report (SAR) will begin. At a minimum, Stage 2 assessment activities include:
- Execution of the penetration test
- Interviews of CSO control owners
- Inspection of evidence provided and observations of controls in place
- Analysis and vulnerability scans and related reporting
How to Prepare for a FedRAMP Moderate Assessment
So how to get through this? One primary key to success will be your preparation and planning, especially now, given the entirely new control family and other added requirements—the additions will mean more resources and effort need to be directed towards developing a detailed SSP and ensuring new controls are accurately implemented throughout your system environment.
Some big hurdles to pay particular attention to during this initial preparation include:
- Cryptography
- Focus especially on the implementation of FIPS 140-2 validated cryptographic modules throughout your system environment for protection of all data-at-rest and data-in-transit, as well as in multi-factor authenticators.
- During your assessment, your 3PAO will need to verify the active status and FIPS enabled mode of operation for each of the offering’s cryptographic modules—if there are any issues identified during this process, it could be a showstopper for your assessment.
- System Scanning
- Keep in mind that, for the Moderate Assessment, your requisite monthly scans must be performed in an authenticated manner for all components within the CSO’s Authorization Boundary to include infrastructure/OS, database, web application, and container vulnerability and compliance baseline scans.
- Any open vulnerabilities identified that remain open at the end of the assessment period must be reported within the SAR.
(For more information on some other common pitfalls to avoid during your assessment, click here.)
To minimize these potential gaps in your security plan and address any other issues early, ensure everyone’s on the same page from the beginning as you develop your relevant systems to satisfy the requirements of the FedRAMP Moderate Assessment.
The sooner you can begin bringing your CSO up to standard, together with the supporting documentation, the better, but you may find you need some outside help in this—if so, check out our article on FedRAMP consultants here.
Setting Clear Expectations for Your FedRAMP Process
You can expect the FedRAMP Moderate Assessment to be an extensive process, and you should prepare your personnel for their participation. Should your 3PAO discover any discrepancies or missed implementation during their examination of the above, they’ll both report them to you and develop a Risk Exposure Table that will ultimately support the SAR that will also detail your 3PAO’s findings and their recommendation for your CSO’s FedRAMP Authorization.
You’ll use all this information to create a Plan of Action and Milestones (POA&M) outlining your strategy for addressing said findings, and once that’s complete, the SAR and supporting documents will be submitted via the two authorization options you will have already determined:
- You have already secured agency sponsorship ahead of your assessment to support the process of seeking Authority to Operate (ATO).
- You may pursue a Provisional Authority to Operate (P-ATO) through the FedRAMP Joint Authorization Board (JAB) once you’ve been selected via the FedRAMP Connect process.
Now that you understand more about what to expect from a FedRAMP Moderate Assessment, you can move forward knowing more about what you need to address within your environment. And, should you have any further questions about the complexities of this federal compliance program or our role as a 3PAO, please feel free to contact us.
About Charles Turnbow
Charles Turnbow is a Senior Associate at Schellman. He previously served in the military as an intelligence officer before entering the civilian workforce as a strategic aerospace, intelligence, and security consultant supporting global operations within the Intelligence Community. Now at Schellman, Charles is focused on providing federal assessments.