Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

3 Aspects of the FedRAMP Assessment Process: What Do You Need to Provide?

Home
Industry Insights
3 Aspects of the FedRAMP Assessment Process: What Do You Need to Provide?

Blog Article Published: 01/12/2023

Originally published by Schellman.

Written by Andy Rogers, Schellman.

Ever watched a personal trainer conduct a workout on social media? Throwing up weights like they’re nothing or repping for what seems like hours before a water break—they make it look so easy. So much so that many people watching leap up to join them, only to realize that, no it’s not that easy, and these trainers operate at the level they do thanks to their dedication and massive, invested effort.

Cloud Service Providers similarly jump up to join the FedRAMP bandwagon—Authority to Operate (ATO) means getting to do business with the United States federal government. But as providers of a wide array of cybersecurity assessment services—including FedRAMP—we can attest to the fact that FedRAMP assessments are one of the most difficult “workouts” in the current compliance “gym.”

It may “look” easy but it’s really not. And we don’t want you to get started on this journey and exhaust yourself too early, so in this article, we’ll delve into the effort involved in getting through a FedRAMP assessment.

With this insight and depth of understanding, you’ll be able to better prepare your internal team and ensure things go as smoothly as possible with minimal hang-ups along the way.

How to Prepare for the FedRAMP Process

So, if you’ve never taken on FedRAMP before, you’re looking at a significant investment between:

  • Your (Third-Party Assessment Organization) 3PAO assessment;
  • Building, maintaining, and securing your environment; and
  • Annually completing continuous monitoring assessments.

That’s why the best advice we can give is to engage a FedRAMP advisor early on. Even if your environment has already been built, having an advisor will make your journey to FedRAMP authorization an easier one, as they’ll use their expertise to guide you forward more precisely.

No matter what you do, the FedRAMP journey is resource-intensive and not an easy lift internally. FedRAMP assessments will require the effort of individuals at all levels of your organization in 3 different ways.

As we get into the weeds of the assessment journey, we should disclose that the information below makes a few presumptions—we’re assuming that you already have a sponsoring agency and have picked out a 3PAO or at least know where to find one in the case that you embark on your FedRAMP journey.

1. FedRAMP Interviews: Who’s Involved

Having said that, we’re now going to get into a big part of every FedRAMP assessment—the interview phase, which touches on the 20 different control families and their own unique requirements. Below is a breakdown of these families that are covered in the manual testing process, as well as who among your personnel will be needed to answer to the controls during the process:

NOTE: NIST 800-53 Rev 5 changes are referenced in the notes of each family with a **

Control Family

Control Family Description & Personnel Involved

CA

Security Assessment
  • Deals with the sponsoring Authorizing Official (AO), the independence of your assessor, and whether you have conducted a penetration test.
  • Also covers the continuous monitoring of the environment’s security posture, Plan of Actions and Milestones (POA&M), and overall program monitoring.
Personnel generally involved: Information System Security Managers (ISSM), Information System Security Officer (ISSO)

AC

Access Control

  • Covers administrative and technical controls, e.g., bringing personnel on and going through the administrative process of assigning their corresponding privileges.
  • Also deals with ensuring internal hosts have the appropriate limited access to other hosts.

Personnel generally involved: ISSM, ISSO, Security Engineers (SE), Security Administrator (SA), and IT/Systems Admins (ITA)

AT

Security Awareness Training
  • Covers security awareness program content, tracking, and retention.

Personnel generally involved: ISSO, ISSM

AU

Audit and Accountability
  • Analyzes the Security Information and Event Manager (SIEM), log content, log management, alerting, and monitoring.

Personnel generally involved: ISSM, ISSO, SA

CM

Configuration Management
  • Reviews baseline management, change management control process, inventory, baseline scanning, and Configuration Management Plan (CMP)

Personnel generally involved: Members of the Change Advisory Board (CAB)

CP

Contingency Planning
  • Addresses data and environment backup, recovery, availability, and your Contingency Plan

Personnel generally involved: ISSM, ISSO, Contingency Planning (CP) Team

IA

Identification and Authorization
  • Evaluates means of identifying and verifying personnel through usernames, passwords, Common Access Card (CAC), Multi-Factor Authentication (MFA) tokens, MFA mobile apps, etc.

Personnel generally involved: ISSM, ISSO, Physical Security, Administrative Management

IR

Incident Response
  • Examines how incidents are found, investigated, reported, and tracked.

Personnel generally involved: ISSM, ISSO, IR Team

MA

Maintenance
  • Deals with how maintenance is managed, tracked, and logged, as well as how systems are maintained. (Generally inherited unless you are managing equipment for your boundary in a data center.)

Personnel generally involved: ISSM, ISSO, Data Center Management

MP

Media Protection
  • Addresses how media is managed, stored, tracked, and protected. (Also generally inherited.)

Personnel generally involved: ISSM, ISSO, Data Center Management

PE

Physical and Environmental Security
  • Reviews how the data center is protected, how those personnel are managed, tracked, and monitored, and what access controls into the datacenter are in place. (Also generally inherited.)

Personnel generally involved: ISSM, ISSO, Data Center Management

PL

Security Planning
  • Focuses on how well you have documented your environment and the design diagrams. (Leverages the System Security Plan (SSP) heavily.)

Personnel generally involved: ISSM, ISSO

PS

Personnel Security
  • Evaluates the hiring, firing, sanctioning, and background checking of personnel.

Personnel generally involved: Administrative management and legal team

RA

Risk Assessments
  • Examines OS and Infrastructure scans—A.K.A. vulnerability scans—database scans, web application scans, and container scans.

** NOTE: Revision 5 Includes threat hunting capabilities including monitoring, detection, tracking, and threat disruption.

Personnel generally involved: ISSM, ISSO, vulnerability management team, ** Threat Hunting Team

SA

System and Services Acquisition
  • Addresses vendor management, external system interconnections, third-party risk, and supply chain management.

Personnel generally involved: ISSM, ISSO

SC

System and Communications Protection
  • Covers security of external/internal data-in-transit, data-at-rest, internal/external encryption, Public Key Infrastructure (PKI), bastion hosts, Virtual Private Networks (VPNs), firewalls, and other boundary protection.

** NOTE: Rev 5 will introduce new privacy requirements SC-7(24)

Personnel generally involved: ISSM, ISSO, SE, SA, ITA, ** Privacy Team

SI

Systems and Information Integrity
  • Deals primarily with the verification of the functionality and security of the system, including bug or flaw remediation, file integrity monitoring, antivirus, spam protection, system/security functionality verification, error handling, and software whitelisting.

** NOTE: Rev 5 will introduce new privacy requirements SI-18 and SI-19

Personnel generally involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team

SR

Supply Chain Risk Management

  • New with Rev 5
  • Focused on the third-party supply chain procurement of purchased services, contractors, and equipment—supply chain control process, verification, monitoring, and decommissioning.
  • You must now have a supply chain risk management plan that will document all the planned execution of these requirements.

** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved.

Personnel possibly involved: ISSM, ISSO, CAB

PT

Personally Identifiable Information Processing and Transparency

  • New with Rev 5
  • Covers privacy when collecting, storing, handling, processing, notifying of use of, and destroying (when no longer needed) personnel’s Personally Identifiable Information (PII).

** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved.

Personnel possibly involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team

PM

Program Management

  • New with Rev 5
  • Examines the overall security program and how it works together overall to create metrics.
  • Much of this will be covered by your SSP, but there’s an additional requirement in the Critical Infrastructure Plan.

** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved.

Personnel possibly involved: ISSM, ISSO

As you now understand, the interview process of a FedRAMP assessment is no small task to complete—usually, it takes about four 8-to-10 hour days to complete this phase and often includes the real-time collection of audit evidence by your 3PAO.

2. FedRAMP Evidence: What Scans to Provide

Even with all that said, the greatest effort in the entire FedRAMP manual controls process is usually made when creating an accurate inventory of your environment and authenticated scans for each of the applicable scan categories:

Avoid a pitfall here by providing copies of the authenticated (credentialed) and accurate (100% of the environment) initial scans (scan of record) and remediation scans for each type of scan listed above as soon as possible. (The exception is compliance scans—you only need scans of record for those.)

3. FedRAMP Penetration Test

In addition to interviews and evidence collection, there’s an additional aspect to your FedRAMP assessment—the required independent penetration test, which usually occurs in tandem with the aforementioned manual controls testing.

You and your team will need to engage and work with your 3PAO penetration testers who will perform the FedRAMP-required penetration test that includes up to six pre-defined attack vectors. For more details on the penetration test, check our breakdown of FedRAMP’s new pen test guidance.

Moving Forward with Your FedRAMP Assessment

Organizations are all built differently, but on a general level, you can expect your FedRAMP assessment to involve a combination of the following personnel:

  • Security team;
  • IT staff;
  • Legal team;
  • Administrative staff;
  • IR team;
  • CP team; and
  • **Privacy Team

Along with these interviews, you’ll need to do extensive vulnerability management with different types of scans and penetration testing. Bottom line, there’s significant time, effort, cost, and energy that you’ll need to invest if you want to get FedRAMP ATO.

To further support your preparation for this intense “workout,” read our other content that can provide more insight and make your experience that much easier:

ComplianceFedRAMP

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024

Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’

Published: 04/15/2024

Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024