What to Expect from a FedRAMP Moderate Assessment
If you’ve ever signed up for a race, you may have had a few options to choose from. Sometimes, there’s a 15k, a 10k, an 8k, and, of course, a 5k, which is generally the starting standard for amateur runners and/or walkers. Each option has a certain degree of difficulty, and all of them require intentional steps for completing the race successfully.
Like these races, FedRAMP also features different risk levels that require a different level of investment. And regardless of which distance (or risk level) you opt for, it would help to have a roadmap of expectations so that you can better allocate your resources.
If you’re considering or even have already settled on pursuing a FedRAMP Moderate Assessment, that’s exactly what we plan to present here.
As one of the most experienced Third-Party Assessment Organizations (3PAOs) in the Marketplace, we’ll explain what this baseline is, what goes into the specific process—including relevant important changes in NIST SP 800-53 Rev5 —and how to set your organization up for success.
This article will help you drill down beyond a basic understanding of the FedRAMP process to more of what you’re specifically getting into, thereby making this “race” at least a little bit easier for your organization.
What is the FedRAMP Moderate Baseline?
Let’s start with the basics. In total, FedRAMP has three* security baselines that cloud service providers (CSPs) can choose to pursue and be assessed against—these are based on the Federal Information Processing Standard (FIPS) 199 guidelines for categorizing information and information systems.
For those interested in pursuing FedRAMP, you’ll categorize your Cloud Service Offering (CSO) to determine your impact level and use the established standards to evaluate your system to ensure it meets the minimum security requirements. FedRAMP is primarily concerned that federal vendors achieve three security objectives, abbreviated often as CIA:
- Confidentiality, or the restriction of information access and disclosure, including protection measures for personal privacy and proprietary information
- Integrity, or the protection of data against destruction or modification
- Availability, or the timely and reliable access to stored information
These objectives and the FIPS 199 impact categorizations for CIA all lead to a determination that corresponds to the aforementioned baselines. You’ll note that the number of controls required for each baseline increases with the greater impact on security:
|
Baseline |
Base Controls |
|---|---|
|
Low *Tailored / Low Impact SaaS (LI-SaaS) |
156 |
|
Moderate |
323 |
|
High |
410 |
*The FedRAMP Control Baselines for Rev 5 are still in review for publication – final numbers may change.
Of the three listed here, the most popular authorization option to date has proven to be at the Moderate Baseline, as the requirements align with many of the common security requirements needed by federal agencies.
When you select this baseline, what you’re basically saying is that the loss of CIA within your CSO would create a serious adverse effect on your organization and related parties. So, not a limited (low risk) nor a catastrophic effect (high risk), but still a major disruption to federal agencies and other users.
The Moderate Baseline already represents a big jump up from the requirements in the Low Category, and the new Revision 5 to NIST SP 800-53 has provided even more hurdles to leap, including the addition of a new control family and baseline controls as well as updates to requirements for many existing controls.
To be more specific, Revision 5 will likely expand the Moderate control catalog from 17 to 18 control families to go with the brand-new addition of Supply Chain Risk Management (SR) controls. There are also approximately 40 new controls and control enhancements, as well as updates to nearly 100 existing controls.
More than that though, the new revision also shifted the focus of many of the baseline control descriptions to be outcome-based. Instead of assigning responsibility for a control (e.g., information system, organization), the new control descriptions capture the desired results of the control. (For more information from Schellman on the FedRAMP Revision 5 changes, click here.)
Below is a breakdown of the NIST 800-53 Control Families as well as what to expect for your CSO’s System Security Plan (SSP) and control implementations at the Moderate Impact Level:
|
Control Family |
Overview of What Will Be Tested |
|---|---|
|
AC Access Control |
Administrative and technical controls regarding the onboarding of personnel and assigning corresponding privileges |
|
AT Security Awareness Training |
Security awareness program content, tracking, and retention |
|
AU Audit and Accountability |
Security Information and Event Manager (SIEM), log content, log management, alerting, and monitoring |
|
CA Security Assessment |
Penetration testing, continuous monitoring of the environment’s security posture, system interconnections, Plan of Actions and Milestones (POA&M), and overall program monitoring NOTE: Revision 5 Moderate Baseline includes a requirement for organization-defined Red Team Exercises in CA-8(2). |
|
CM Configuration Management |
Baseline management, change management control process, inventory, baseline and configuration scanning, system hardening, and Configuration Management Plan (CMP) NOTE: Revision 5 Moderate Baseline includes a requirement for CSPs to leverage DoD STIGs for their baseline configuration settings. |
|
CP Contingency Planning |
Data and environment backup, recovery, availability, and contingency plans |
|
IA Identification and Authorization |
Identification and verification of personnel, password and authenticator management, Common Access Card (CAC) / Personal Identity Verification (PIV) multi-factor authentication (MFA) processes and mechanisms, etc. |
|
IR Incident Response |
Discovery, investigation, reporting, and tracking of incidents NOTE: Revision 5 Moderate Baseline includes a requirement for functional IR testing to be completed at least annually (noted in IR-3). |
|
MA Maintenance |
Tracking and logging of maintenance |
|
MP Media Protection |
Management, storage, protection, and tracking of media |
|
PE Physical and Environmental Security |
Physical and environmental controls, access control and management of data centers, secure areas, server rooms, etc., as well as management and tracking of related personnel |
|
PL Security Planning |
System Security Plan (SSP), documentation of the system boundary and environment, architecture, network, and data flow diagrams |
|
PS Personnel Security |
Personnel management, including onboarding, termination, transfers |
|
RA Risk Assessments |
Risk assessment and designations, vulnerability scanning (and remediation) mechanisms and processes—infrastructure/OS scans, database scans, web application scans, and container scans. NOTE: Revision 5 Moderate Baseline includes a new focus on Supply Chain Risk Assessments in RA-3(1). |
|
SA System and Services Acquisition |
SDLC processes and management, including static and dynamic code analysis, vendor management, external system interconnections, third-party risk, and supply chain management. |
|
SC System and Communications Protection |
Protection of external/internal data-in-transit, data-at-rest, internal/external encryption (FIPS 140-2 cryptography), Public Key Infrastructure (PKI), implementing subnets, and boundary protection mechanisms. NOTE: Rev 5 introduced SC-45 and SC-45(1) System Time synchronization testing which pulled control implementations from AU-8 and AU-8(1). |
|
SI Systems and Information Integrity |
Information system monitoring, verification of the functionality and security of the system, including flaw remediation, file integrity monitoring, antivirus, spam protection, etc. |
|
New Control Family Defined in NIST 800-53 Rev 5 FedRAMP Moderate Baseline |
|
|
SR Supply Chain Risk Management |
Supply chain risk management plan documenting all the planned execution of these security requirements. |
What is the FedRAMP Moderate Assessment Process?
When you opt for an assessment at the Moderate Baseline, the assessment is typically broken out into two stages.
Stage 1
First, you’ll conduct planning and preparation activities, working alongside your 3PAO to complete the Security Assessment Plan (SAP) that will:
- Document the scope of manual controls testing and penetration testing (including a review of the );
- Identify the controls to be assessed; and
- Detail the sampling methodology to be used by the 3PAO during the assessment.
Stage 2
After that, the bulk of testing activities will begin, and the results of this testing will ultimately result in the Security Assessment Report (SAR). At a minimum, Stage 2 assessment activities include:
- Execution of the penetration test
- Interviews of CSO control implementation and system owners
- Inspection of evidence provided and observations of controls in place
- Analysis and vulnerability scans and related reporting
How to Prepare for a FedRAMP Moderate Assessment
So how to get through this? One primary key to success will be your preparation and planning, especially now, given the entirely new control family and other added requirements—the additions will mean more resources and effort need to be directed towards developing a detailed SSP and ensuring new controls are accurately implemented throughout your system environment.
Some big hurdles to pay particular attention to during this initial preparation include:
- Cryptography
- Focus especially on the implementation of FIPS 140-2 validated cryptographic modules throughout your system environment for protection of all data-at-rest and data-in-transit, as well as in multi-factor authenticators.
- During your assessment, your 3PAO will need to verify the active status and FIPS enabled mode of operation for each of the offering’s cryptographic modules—if there are any issues identified during this process, it could be a showstopper for your assessment.
- System Scanning
- Keep in mind that, for the Moderate Assessment, your requisite monthly scans must be performed in an authenticated manner for all components within the CSO’s Authorization Boundary to include infrastructure/OS, database, web application, and container vulnerability and compliance baseline scans.
- Any open vulnerabilities identified that remain open at the end of the assessment period must be reported within the SAR.
- CM-6 Configuration Settings
- Revision 5 also adds the new FedRAMP requirement for CSPs to use DoD Security Technical Implementation Guides (STIGs) to establish baseline configuration settings for systems classified at the Moderate Impact Level (previously this was only a requirement for the FedRAMP High baseline).
(For more information on some other common pitfalls to avoid during your assessment, click here.)
To minimize these potential gaps in your security plan and address any other issues early, ensure everyone’s on the same page from the beginning as you develop your relevant systems to satisfy the requirements of the FedRAMP Moderate Assessment.
The sooner you can begin bringing your CSO up to standard, together with the supporting documentation, the better, but you may find you need some outside help in this—if so, check out our article on FedRAMP consultants here.
Setting Clear Expectations for Your FedRAMP Process
You can expect the FedRAMP Moderate Assessment to be an extensive process, and you should prepare your personnel for their participation. Should your 3PAO discover any discrepancies or missed implementation during their examination of the above, they’ll both report them to you and develop a Risk Exposure Table that will ultimately support the SAR that will also detail your 3PAO’s findings and their recommendation for your CSO’s FedRAMP Authorization.
You’ll use all this information to create a Plan of Action and Milestones (POA&M) outlining your strategy for addressing said findings, and once that’s complete, the SAR and supporting documents will be submitted via the two authorization options you will have already determined:
- You have already secured agency sponsorship ahead of your assessment to support the process of seeking Authority to Operate (ATO).
- You may pursue a Provisional Authority to Operate (P-ATO) through the FedRAMP Joint Authorization Board (JAB) once you’ve been selected via the FedRAMP Connect process.
Now that you understand more about what to expect from a FedRAMP Moderate Assessment, you can move forward knowing more about what you need to address within your environment. And, should you have any further questions about the complexities of this federal compliance program or our role as a 3PAO, please feel free to contact us.
About Charles Turnbow
Charles Turnbow is a Senior Associate at Schellman. He previously served in the military as an intelligence officer before entering the civilian workforce as a strategic aerospace, intelligence, and security consultant supporting global operations within the Intelligence Community. Now at Schellman, Charles is focused on providing federal assessments.