Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility

The FedRAMP Assessment Process: What Do You Need to Provide?

FedRAMP

Ever watched a personal trainer conduct a workout on social media? Throwing up weights like they’re nothing or repping for what seems like hours before a water break—they make it look so easy. So much so that many people watching leap up to join them, only to realize that, no it’s not that easy, and these trainers operate at the level they do thanks to their dedication and massive, invested effort.

Cloud Service Providers similarly jump up to join the FedRAMP bandwagon—Authority to Operate (ATO) means getting to do business with the United States federal government. But as providers of a wide array of cybersecurity assessment services—including FedRAMP—we can attest to the fact that FedRAMP assessments are one of the most difficult “workouts” in the current compliance “gym.”

It may “look” easy but it’s really not. And we don’t want you to get started on this journey and exhaust yourself too early, so in this article, we’ll delve into the effort involved in getting through a FedRAMP assessment.

With this insight and depth of understanding, you’ll be able to better prepare your internal team and ensure things go as smoothly as possible with minimal hang-ups along the way.

How to Prepare for the FedRAMP Process

So, if you’ve never taken on FedRAMP before, you’re looking at a significant investment between:

  • Your (Third-Party Assessment Organization) 3PAO assessment;
  • Building, maintaining, and securing your environment; and
  • Annually completing continuous monitoring assessments.

That’s why the best advice we can give is to engage a FedRAMP advisor early on. Even if your environment has already been built, having an advisor will make your journey to FedRAMP authorization an easier one, as they’ll use their expertise to guide you forward more precisely.

No matter what you do, the FedRAMP journey is resource-intensive and not an easy lift internally. FedRAMP assessments will require the effort of individuals at all levels of your organization in 3 different ways.

As we get into the weeds of the assessment journey, we should disclose that the information below makes a few presumptions—we’re assuming that you already have a sponsoring agency and have picked out a 3PAO or at least know where to find one in the case that you embark on your FedRAMP journey.

1. FedRAMP Interviews: Who’s Involved

Having said that, we’re now going to get into a big part of every FedRAMP assessment—the interview phase, which touches on the 20 different control families and their own unique requirements. Below is a breakdown of these families that are covered in the manual testing process, as well as who among your personnel will be needed to answer to the controls during the process:

NOTE: NIST 800-53 Rev 5 changes are referenced in the notes of each family with a **

Control Family Control Family Description & Personnel Involved

CA

Security Assessment

  • Deals with the sponsoring Authorizing Official (AO), the independence of your assessor, and whether you have conducted a penetration test.
  • Also covers the continuous monitoring of the environment’s security posture, Plan of Actions and Milestones (POA&M), and overall program monitoring.
Personnel generally involved: Information System Security Managers (ISSM), Information System Security Officer (ISSO)

AC

Access Control

 

  • Covers administrative and technical controls, e.g., bringing personnel on and going through the administrative process of assigning their corresponding privileges.
  • Also deals with ensuring internal hosts have the appropriate limited access to other hosts.

Personnel generally involved: ISSM, ISSO, Security Engineers (SE), Security Administrator (SA), and IT/Systems Admins (ITA)

AT

Security Awareness Training

  • Covers security awareness program content, tracking, and retention.

Personnel generally involved: ISSO, ISSM

AU

Audit and Accountability

  • Analyzes the Security Information and Event Manager (SIEM), log content, log management, alerting, and monitoring.

Personnel generally involved: ISSM, ISSO, SA

CM

Configuration Management

  • Reviews baseline management, change management control process, inventory, baseline scanning, and Configuration Management Plan (CMP)

Personnel generally involved: Members of the Change Advisory Board (CAB)

CP

Contingency Planning

  • Addresses data and environment backup, recovery, availability, and your Contingency Plan

Personnel generally involved: ISSM, ISSO, Contingency Planning (CP) Team

IA

Identification and Authorization

  • Evaluates means of identifying and verifying personnel through usernames, passwords, Common Access Card (CAC), Multi-Factor Authentication (MFA) tokens, MFA mobile apps, etc.

Personnel generally involved: ISSM, ISSO, Physical Security, Administrative Management

IR

Incident Response

  • Examines how incidents are found, investigated, reported, and tracked.

Personnel generally involved: ISSM, ISSO, IR Team

MA

Maintenance

  • Deals with how maintenance is managed, tracked, and logged, as well as how systems are maintained. (Generally inherited unless you are managing equipment for your boundary in a data center.)

Personnel generally involved: ISSM, ISSO, Data Center Management

MP

Media Protection

  • Addresses how media is managed, stored, tracked, and protected. (Also generally inherited.)

Personnel generally involved: ISSM, ISSO, Data Center Management

PE

Physical and Environmental Security

  • Reviews how the data center is protected, how those personnel are managed, tracked, and monitored, and what access controls into the data center are in place. (Also generally inherited.)

Personnel generally involved: ISSM, ISSO, Data Center Management

PL

Security Planning

  • Focuses on how well you have documented your environment and the design diagrams. (Leverages the System Security Plan (SSP) heavily.)

Personnel generally involved: ISSM, ISSO

PS

Personnel Security

  • Evaluates the hiring, firing, sanctioning, and background checking of personnel.

Personnel generally involved: Administrative management and legal team

RA

Risk Assessments

  • Examines OS and Infrastructure scans—A.K.A. vulnerability scans—database scans, web application scans, and container scans.

** NOTE: Revision 5 Includes threat hunting capabilities including monitoring, detection, tracking, and threat disruption.

Personnel generally involved: ISSM, ISSO, vulnerability management team, ** Threat Hunting Team

SA

System and Services Acquisition

  • Addresses vendor management, external system interconnections, third-party risk, and supply chain management.

Personnel generally involved: ISSM, ISSO

SC

System and Communications Protection

  • Covers security of external/internal data-in-transit, data-at-rest, internal/external encryption, Public Key Infrastructure (PKI), bastion hosts, Virtual Private Networks (VPNs), firewalls, and other boundary protection.

** NOTE: Rev 5 will introduce new privacy requirements SC-7(24)

Personnel generally involved: ISSM, ISSO, SE, SA, ITA, ** Privacy Team

SI

Systems and Information Integrity

·    Deals primarily with the verification of the functionality and security of the system, including bug or flaw remediation, file integrity monitoring, antivirus, spam protection, system/security functionality verification, error handling, and software whitelisting.

** NOTE: Rev 5 will introduce new privacy requirements SI-18 and SI-19

Personnel generally involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team

SR

Supply Chain Risk Management

  • New with Rev 5
  • Focused on the third-party supply chain procurement of purchased services, contractors, and equipment—supply chain control process, verification, monitoring, and decommissioning.
  • You must now have a supply chain risk management plan that will document all the planned execution of these requirements.

Personnel possibly involved: ISSM, ISSO, CAB

** NOTE: These controls are not currently being assessed by 3PAOs so this is hypothetically who would be involved.

PT

Personally Identifiable Information Processing and Transparency

  • New with Rev 5
  • Covers privacy when collecting, storing, handling, processing, notifying of use of, and destroying (when no longer needed) personnel’s Personally Identifiable Information (PII).

Personnel possibly involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team

** NOTE: These controls are not currently being assessed by 3PAOs so this is hypothetically who would be involved.

PM

Program Management

  • New with Rev 5
  • Examines the overall security program and how it works together overall to create metrics.
  • Much of this will be covered by your SSP, but there’s an additional requirement in the Critical Infrastructure Plan.

Personnel possibly involved: ISSM, ISSO

** NOTE: These controls are not currently being assessed by 3PAOs so this is hypothetically who would be involved.

 As you now understand, the interview process of a FedRAMP assessment is no small task to complete—usually, it takes about four 8-to-10 hour days to complete this phase and often includes the real-time collection of audit evidence by your 3PAO.

2. FedRAMP Evidence: What Scans to Provide

 

Even with all that said, the greatest effort in the entire FedRAMP manual controls process is usually made when creating an accurate inventory of your environment and authenticated scans for each of the applicable scan categories:

  • Infrastructure scans
  • Web application scans
  • Database scans
  • Container scans
  • Compliance scans

Avoid a pitfall here by providing copies of the authenticated (credentialed) and accurate (100% of the environment) initial scans (scan of record) and remediation scans for each type of scan listed above as soon as possible. (The exception is compliance scans—you only need scans of record for those.)

3. FedRAMP Penetration Test

 

In addition to interviews and evidence collection, there’s an additional aspect to your FedRAMP assessment—the required independent penetration test, which usually occurs in tandem with the aforementioned manual controls testing.

You and your team will need to engage and work with your 3PAO penetration testers who will perform the FedRAMP-required penetration test that includes up to six pre-defined attack vectors. For more details on the penetration test, check our breakdown of FedRAMP’s new pen test guidance.

Moving Forward with Your FedRAMP Assessment

Organizations are all built differently, but on a general level, you can expect your FedRAMP assessment to involve a combination of the following personnel:

  • Security team;
  • IT staff;
  • Legal team;
  • Administrative staff;
  • IR team;
  • CP team; and
  • **Privacy Team

Along with these interviews, you’ll need to do extensive vulnerability management with different types of scans and penetration testing. Bottom line, there’s significant time, effort, cost, and energy that you’ll need to invest if you want to get FedRAMP ATO.

To further support your preparation for this intense “workout,” read our other content that can provide more insight and make your experience that much easier:

About Andy Rogers

Andy Rogers is a Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.