3 Aspects of the FedRAMP Assessment Process: What Do You Need to Provide?
Published 01/12/2023
Originally published by Schellman.
Written by Andy Rogers, Schellman.
Ever watched a personal trainer conduct a workout on social media? Throwing up weights like they’re nothing or repping for what seems like hours before a water break—they make it look so easy. So much so that many people watching leap up to join them, only to realize that, no it’s not that easy, and these trainers operate at the level they do thanks to their dedication and massive, invested effort.
Cloud Service Providers similarly jump up to join the FedRAMP bandwagon—Authority to Operate (ATO) means getting to do business with the United States federal government. But as providers of a wide array of cybersecurity assessment services—including FedRAMP—we can attest to the fact that FedRAMP assessments are one of the most difficult “workouts” in the current compliance “gym.”
It may “look” easy but it’s really not. And we don’t want you to get started on this journey and exhaust yourself too early, so in this article, we’ll delve into the effort involved in getting through a FedRAMP assessment.
With this insight and depth of understanding, you’ll be able to better prepare your internal team and ensure things go as smoothly as possible with minimal hang-ups along the way.
How to Prepare for the FedRAMP Process
So, if you’ve never taken on FedRAMP before, you’re looking at a significant investment between:
- Your (Third-Party Assessment Organization) 3PAO assessment;
- Building, maintaining, and securing your environment; and
- Annually completing continuous monitoring assessments.
That’s why the best advice we can give is to engage a FedRAMP advisor early on. Even if your environment has already been built, having an advisor will make your journey to FedRAMP authorization an easier one, as they’ll use their expertise to guide you forward more precisely.
No matter what you do, the FedRAMP journey is resource-intensive and not an easy lift internally. FedRAMP assessments will require the effort of individuals at all levels of your organization in 3 different ways.
As we get into the weeds of the assessment journey, we should disclose that the information below makes a few presumptions—we’re assuming that you already have a sponsoring agency and have picked out a 3PAO or at least know where to find one in the case that you embark on your FedRAMP journey.
1. FedRAMP Interviews: Who’s Involved
Having said that, we’re now going to get into a big part of every FedRAMP assessment—the interview phase, which touches on the 20 different control families and their own unique requirements. Below is a breakdown of these families that are covered in the manual testing process, as well as who among your personnel will be needed to answer to the controls during the process:
NOTE: NIST 800-53 Rev 5 changes are referenced in the notes of each family with a **
Control Family Description & Personnel Involved | |
CA Security Assessment |
|
AC Access Control
|
Personnel generally involved: ISSM, ISSO, Security Engineers (SE), Security Administrator (SA), and IT/Systems Admins (ITA) |
AT Security Awareness Training |
Personnel generally involved: ISSO, ISSM |
AU Audit and Accountability |
Personnel generally involved: ISSM, ISSO, SA |
CM Configuration Management |
Personnel generally involved: Members of the Change Advisory Board (CAB) |
CP Contingency Planning |
Personnel generally involved: ISSM, ISSO, Contingency Planning (CP) Team |
IA Identification and Authorization |
Personnel generally involved: ISSM, ISSO, Physical Security, Administrative Management |
IR Incident Response |
Personnel generally involved: ISSM, ISSO, IR Team |
MA Maintenance |
Personnel generally involved: ISSM, ISSO, Data Center Management |
MP Media Protection |
Personnel generally involved: ISSM, ISSO, Data Center Management |
PE Physical and Environmental Security |
Personnel generally involved: ISSM, ISSO, Data Center Management |
PL Security Planning |
Personnel generally involved: ISSM, ISSO |
PS Personnel Security |
Personnel generally involved: Administrative management and legal team |
RA Risk Assessments |
** NOTE: Revision 5 Includes threat hunting capabilities including monitoring, detection, tracking, and threat disruption. Personnel generally involved: ISSM, ISSO, vulnerability management team, ** Threat Hunting Team |
SA System and Services Acquisition |
Personnel generally involved: ISSM, ISSO |
SC System and Communications Protection |
** NOTE: Rev 5 will introduce new privacy requirements SC-7(24) Personnel generally involved: ISSM, ISSO, SE, SA, ITA, ** Privacy Team |
SI Systems and Information Integrity |
** NOTE: Rev 5 will introduce new privacy requirements SI-18 and SI-19 Personnel generally involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team |
SR Supply Chain Risk Management |
** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved. Personnel possibly involved: ISSM, ISSO, CAB |
PT Personally Identifiable Information Processing and Transparency |
** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved. Personnel possibly involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team |
PM Program Management |
** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved. Personnel possibly involved: ISSM, ISSO |
As you now understand, the interview process of a FedRAMP assessment is no small task to complete—usually, it takes about four 8-to-10 hour days to complete this phase and often includes the real-time collection of audit evidence by your 3PAO.
2. FedRAMP Evidence: What Scans to Provide
Even with all that said, the greatest effort in the entire FedRAMP manual controls process is usually made when creating an accurate inventory of your environment and authenticated scans for each of the applicable scan categories:
- Infrastructure scans
- Web application scans
- Database scans
- Container scans
- Compliance scans
Avoid a pitfall here by providing copies of the authenticated (credentialed) and accurate (100% of the environment) initial scans (scan of record) and remediation scans for each type of scan listed above as soon as possible. (The exception is compliance scans—you only need scans of record for those.)
3. FedRAMP Penetration Test
In addition to interviews and evidence collection, there’s an additional aspect to your FedRAMP assessment—the required independent penetration test, which usually occurs in tandem with the aforementioned manual controls testing.
You and your team will need to engage and work with your 3PAO penetration testers who will perform the FedRAMP-required penetration test that includes up to six pre-defined attack vectors. For more details on the penetration test, check our breakdown of FedRAMP’s new pen test guidance.
Moving Forward with Your FedRAMP Assessment
Organizations are all built differently, but on a general level, you can expect your FedRAMP assessment to involve a combination of the following personnel:
- Security team;
- IT staff;
- Legal team;
- Administrative staff;
- IR team;
- CP team; and
- **Privacy Team
Along with these interviews, you’ll need to do extensive vulnerability management with different types of scans and penetration testing. Bottom line, there’s significant time, effort, cost, and energy that you’ll need to invest if you want to get FedRAMP ATO.
To further support your preparation for this intense “workout,” read our other content that can provide more insight and make your experience that much easier:
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024