What are Schellman’s FedRAMP Capabilities?
Do you enjoy pizza? Maybe you prefer it plain with cheese, or maybe you need that pepperoni spike of flavor. Perhaps you’re more adventurous and order ham and pineapple—some folks even like it with SPAM.
Schellman’s suite of services is a bit like pizza toppings—you can choose from SOC, ISO, PCI, HITRUST, NIST, CMMC, and various privacy initiatives among our other services. If you’re a cloud service provider (CSP) seeking FedRAMP Authority to Operate (ATO), you’ve already decided on your “topping” of choice. Now you’re wondering if Schellman is the right compliance firm to make“the pizza” for you.
That’s what we’re going to address in this article—what sets Schellman apart from your other Third Party Assessment Organization (3PAO) options? What can we offer you within the FedRAMP Program? After reading this, you’ll know 3 things you can expect of Schellman on your road to ATO.
What is FedRAMP?
For the sake of thoroughness, let’s establish what you need first. FedRAMP was created by the federal government to provide CSPs with a means to provide services to the federal government while reducing the risk taken on by the government.
CSPs can achieve these means by having their security posture, data processing, and data residence assessed by an approved 3PAO.
What Will You Get with Schellman’s Team?
Schellman is one such accredited 3PAO. We were founded back in 2002 as providers of SAS 70 audits—the predecessor to SOC—and have since grown dramatically, adding complementary services over the years. We currently offer clients over 30+ different assessment services, including other federal offerings such as CMMC 2.0, NIST 800-171, NIST 800-53, RMF, FISMA, ITAR, and CJIS assessments.
As the #2 provider of FedRAMP assessment services per the FedRAMP Marketplace, partnering with Schellman presents organizations with a unique opportunity given our ability to deliver multiple compliance assessment services as a single provider. If you were to need multiple compliance assessments or cybersecurity services, we would provide an integrated project team and methodology to streamline achieving the various objectives.
But if it’s just FedRAMP you’re after, that’s okay too—we have a team of highly specialized assessors that actively engages with the FedRAMP Program Management Office (PMO), Defense Information System Agency (DISA), and the CMMC Cyber Accreditation Body (The Cyber AB) regularly as part of our assessment activities and at their request to provide ideas for methodology and program refinement.
You’re also likely wondering about our penetration test team, as that is a required part of the FedRAMP assessment—you can read more about their qualifications here, but at the very least know that they all have their Offensive Security Certified Professional certification and several years of penetration testing and technical experience.
Schellman’s FedRAMP Capabilities
1. We Are Solely Focused on FedRAMP Assessment Services (Type A 3PAO).
One of the most important things to understand going into your search for the right 3PAO is that many firms do offer both assessment and advisory services. Because the process to achieve a FedRAMP ATO is very high stakes, it’s often recommended that organizations engage a consultant to advise them—just know that if you do, you cannot use that same firm to perform your FedRAMP assessment.
Unlike firms that do provide both, Schellman performs assessments exclusively (though we do want to help you to find the right advisory partner). Why is the right partner important?
Because from a technical compliance perspective, FedRAMP is one of the higher bars to meet. As such, you’re going to need experienced IT and security engineers that are familiar with technical compliance—preferably ones that have actual experience with FedRAMP—to either:
- Help ensure that your existing environment can meet FedRAMP requirements; or
- Help you build a new environment that meets FedRAMP requirements.
You might already have this experience internally, but if not, an advisory firm that is accustomed to building infrastructure with a defense-in-depth approach could help you immensely.
But your build-out isn’t the only critical thing in your pursuit of FedRAMP—you do, of course, need to get through an assessment and ensure it’s as thorough as possible to avoid any hiccups with the FedRAMP PMO and/or DISA. In working with Schellman for this phase, you can be sure of two things:
- That our team of qualified assessors will be the absolute best team we have to offer; and
- They will be completely focused on ensuring your FedRAMP assessment more than satisfies the PMO and/or DISA.
2. We Can Handle Any FedRAMP Assessment You Need.
Depending on where you are in your FedRAMP journey and what you need—as well as what approach you’re taking to authorization—you may need different types of assessment(s), and Schellman can help you with a number of those:
Schellman can handle any assessment, no matter the risk category, but what can you expect from each?
3. We’re Nimble with the Ability to Adapt.
If you’re looking for that extra layer of comfort in your 3PAO’s capabilities—or your agency asks you to take the controls being assessed a step further—you might need your 3PAO to be able to pivot to accommodate control overlays. You and your agency may require specific additional requirements that can include privacy, ITAR, or FISMA controls, and that’d be no problem for our team given the depth of our experience and resources.
In other cases, you may also need to have impact level (IL)4 or IL5 controls assessed. Even though these are DoD controls prescribed by DISA, you can have them assessed in tandem with your FedRAMP High or Moderate environment.
Our FedRAMP team is practiced in reviewing the documentation for the legal and privacy ramifications and the relevant controls that come into play here, and—as we mentioned before—we’re very familiar with DISA as well. We feel confident that we can handle any unique assessment details that you may need.
Next Steps for Finding Your 3PAO
Nobody wants to eat a subpar pizza, but it helps when the one you order suits your tastes—or in the case of your FedRAMP 3PAO, your needs. Schellman’s established footprint within the FedRAMP Marketplace does indicate some of our capabilities, but to learn more details about our offerings and how we can help you, please reach out to us so that we can schedule a conversation to discuss a possible partnership.
In the meantime, check out our other content regarding FedRAMP that can help you further prepare for this process:
About Andy Rogers
Andy Rogers is a Senior Associate with Schellman & Company, LLC based in Indianapolis, IN. Prior to joining Schellman & Company, LLC in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.