The Schellman Blog

Schellman is the industry’s #1 FedRAMP Third Party Assessment Organization (3PAO) and has become the first to assess over 200 cloud service offerings on the FedRAMP Marketplace. From over a decade of experience, we’ve accumulated a significant amount of firsthand experience and hard-earned insights into what it actually takes to achieve and maintain federal authorization.

The most experienced Third Party Assessment Organization in the federal cloud security market reaches a program milestone more than a decade in the making

As federal agencies increasingly rely on cloud technologies to support mission-critical operations, ensuring those systems meet consistent security standards is essential. The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach for assessing, authorizing, and continuously monitoring cloud services used by the U.S. government.

As the Department of Defense (DoD) continues to accelerate its Zero Trust strategy, organizations supporting national security missions face increasing expectations for how they secure, monitor, and manage sensitive information.

If you've received a report labeled "Red Team Assessment" and can’t help but notice it reads more like a penetration test report, you're not alone. We've seen this pattern repeatedly. Organizations invest in what they believe is a Red Team engagement, only to receive a penetration test with a different label. This deception can be more damaging than helpful as it is fundamental to your security posture that you understand the depth of assessment your organization actually received.

FedRAMP 20x is progressing quickly, with phase 2 just around the corner. Designed to modernize and streamline the authorization process, FedRAMP 20x is reshaping how cloud service providers (CSPs) achieve and maintain authorization to operate (ATO) in the federal marketplace.

Since the beginning of 2024, FedRAMP Revision 5 has mandated that organizations not only perform traditional penetration tests, but also undergo comprehensive red team engagements. This new requirement reflects a broader emphasis on assessing not just technical vulnerabilities, but also the effectiveness of an organization’s overall security posture, including it’s response to sophisticated and realistic threats. Over the past year, we’ve conducted many red team exercises, each tailored to different organizational environments and threat landscapes. These engagements have varied significantly in scope and complexity, offering us a wealth of insights into both our successes and the challenges we’ve faced.

If you develop or sell commercial-off-the-shelf (COTS) technology that ends up in Department of Defense (DoD) environments, there’s a new bar you have to clear. Katie Arrington, the acting DoD CIO has issued a new memo that directly impacts how you manage your software supply chain, and it’s going to change how COTS vendors prepare for procurement.