Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

3 Aspects of the FedRAMP Assessment Process: What Do You Need to Provide?

3 Aspects of the FedRAMP Assessment Process: What Do You Need to Provide?

Blog Article Published: 01/12/2023

Originally published by Schellman.

Written by Andy Rogers, Schellman.

Ever watched a personal trainer conduct a workout on social media? Throwing up weights like they’re nothing or repping for what seems like hours before a water break—they make it look so easy. So much so that many people watching leap up to join them, only to realize that, no it’s not that easy, and these trainers operate at the level they do thanks to their dedication and massive, invested effort.

Cloud Service Providers similarly jump up to join the FedRAMP bandwagon—Authority to Operate (ATO) means getting to do business with the United States federal government. But as providers of a wide array of cybersecurity assessment services—including FedRAMP—we can attest to the fact that FedRAMP assessments are one of the most difficult “workouts” in the current compliance “gym.”

It may “look” easy but it’s really not. And we don’t want you to get started on this journey and exhaust yourself too early, so in this article, we’ll delve into the effort involved in getting through a FedRAMP assessment.

With this insight and depth of understanding, you’ll be able to better prepare your internal team and ensure things go as smoothly as possible with minimal hang-ups along the way.

How to Prepare for the FedRAMP Process

So, if you’ve never taken on FedRAMP before, you’re looking at a significant investment between:

  • Your (Third-Party Assessment Organization) 3PAO assessment;
  • Building, maintaining, and securing your environment; and
  • Annually completing continuous monitoring assessments.

That’s why the best advice we can give is to engage a FedRAMP advisor early on. Even if your environment has already been built, having an advisor will make your journey to FedRAMP authorization an easier one, as they’ll use their expertise to guide you forward more precisely.

No matter what you do, the FedRAMP journey is resource-intensive and not an easy lift internally. FedRAMP assessments will require the effort of individuals at all levels of your organization in 3 different ways.

As we get into the weeds of the assessment journey, we should disclose that the information below makes a few presumptions—we’re assuming that you already have a sponsoring agency and have picked out a 3PAO or at least know where to find one in the case that you embark on your FedRAMP journey.

1. FedRAMP Interviews: Who’s Involved

Having said that, we’re now going to get into a big part of every FedRAMP assessment—the interview phase, which touches on the 20 different control families and their own unique requirements. Below is a breakdown of these families that are covered in the manual testing process, as well as who among your personnel will be needed to answer to the controls during the process:

NOTE: NIST 800-53 Rev 5 changes are referenced in the notes of each family with a **

Control Family

Control Family Description & Personnel Involved


Security Assessment

  • Deals with the sponsoring Authorizing Official (AO), the independence of your assessor, and whether you have conducted a penetration test.
  • Also covers the continuous monitoring of the environment’s security posture, Plan of Actions and Milestones (POA&M), and overall program monitoring.
Personnel generally involved: Information System Security Managers (ISSM), Information System Security Officer (ISSO)


Access Control

  • Covers administrative and technical controls, e.g., bringing personnel on and going through the administrative process of assigning their corresponding privileges.
  • Also deals with ensuring internal hosts have the appropriate limited access to other hosts.

Personnel generally involved: ISSM, ISSO, Security Engineers (SE), Security Administrator (SA), and IT/Systems Admins (ITA)


Security Awareness Training

  • Covers security awareness program content, tracking, and retention.

Personnel generally involved: ISSO, ISSM


Audit and Accountability

  • Analyzes the Security Information and Event Manager (SIEM), log content, log management, alerting, and monitoring.

Personnel generally involved: ISSM, ISSO, SA


Configuration Management

  • Reviews baseline management, change management control process, inventory, baseline scanning, and Configuration Management Plan (CMP)

Personnel generally involved: Members of the Change Advisory Board (CAB)


Contingency Planning

  • Addresses data and environment backup, recovery, availability, and your Contingency Plan

Personnel generally involved: ISSM, ISSO, Contingency Planning (CP) Team


Identification and Authorization

  • Evaluates means of identifying and verifying personnel through usernames, passwords, Common Access Card (CAC), Multi-Factor Authentication (MFA) tokens, MFA mobile apps, etc.

Personnel generally involved: ISSM, ISSO, Physical Security, Administrative Management


Incident Response

  • Examines how incidents are found, investigated, reported, and tracked.

Personnel generally involved: ISSM, ISSO, IR Team



  • Deals with how maintenance is managed, tracked, and logged, as well as how systems are maintained. (Generally inherited unless you are managing equipment for your boundary in a data center.)

Personnel generally involved: ISSM, ISSO, Data Center Management


Media Protection

  • Addresses how media is managed, stored, tracked, and protected. (Also generally inherited.)

Personnel generally involved: ISSM, ISSO, Data Center Management


Physical and Environmental Security

  • Reviews how the data center is protected, how those personnel are managed, tracked, and monitored, and what access controls into the datacenter are in place. (Also generally inherited.)

Personnel generally involved: ISSM, ISSO, Data Center Management


Security Planning

  • Focuses on how well you have documented your environment and the design diagrams. (Leverages the System Security Plan (SSP) heavily.)

Personnel generally involved: ISSM, ISSO


Personnel Security

  • Evaluates the hiring, firing, sanctioning, and background checking of personnel.

Personnel generally involved: Administrative management and legal team


Risk Assessments

  • Examines OS and Infrastructure scans—A.K.A. vulnerability scans—database scans, web application scans, and container scans.

** NOTE: Revision 5 Includes threat hunting capabilities including monitoring, detection, tracking, and threat disruption.

Personnel generally involved: ISSM, ISSO, vulnerability management team, ** Threat Hunting Team


System and Services Acquisition

  • Addresses vendor management, external system interconnections, third-party risk, and supply chain management.

Personnel generally involved: ISSM, ISSO


System and Communications Protection

  • Covers security of external/internal data-in-transit, data-at-rest, internal/external encryption, Public Key Infrastructure (PKI), bastion hosts, Virtual Private Networks (VPNs), firewalls, and other boundary protection.

** NOTE: Rev 5 will introduce new privacy requirements SC-7(24)

Personnel generally involved: ISSM, ISSO, SE, SA, ITA, ** Privacy Team


Systems and Information Integrity

  • Deals primarily with the verification of the functionality and security of the system, including bug or flaw remediation, file integrity monitoring, antivirus, spam protection, system/security functionality verification, error handling, and software whitelisting.

** NOTE: Rev 5 will introduce new privacy requirements SI-18 and SI-19

Personnel generally involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team


Supply Chain Risk Management

  • New with Rev 5
  • Focused on the third-party supply chain procurement of purchased services, contractors, and equipment—supply chain control process, verification, monitoring, and decommissioning.
  • You must now have a supply chain risk management plan that will document all the planned execution of these requirements.

** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved.

Personnel possibly involved: ISSM, ISSO, CAB


Personally Identifiable Information Processing and Transparency

  • New with Rev 5
  • Covers privacy when collecting, storing, handling, processing, notifying of use of, and destroying (when no longer needed) personnel’s Personally Identifiable Information (PII).

** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved.

Personnel possibly involved: ISSM, ISSO, SE, SA, ITA, **Privacy Team


Program Management

  • New with Rev 5
  • Examines the overall security program and how it works together overall to create metrics.
  • Much of this will be covered by your SSP, but there’s an additional requirement in the Critical Infrastructure Plan.

** NOTE: These controls are not currently being assessed by 3PAOs so the below is hypothetically who would be involved.

Personnel possibly involved: ISSM, ISSO

As you now understand, the interview process of a FedRAMP assessment is no small task to complete—usually, it takes about four 8-to-10 hour days to complete this phase and often includes the real-time collection of audit evidence by your 3PAO.

2. FedRAMP Evidence: What Scans to Provide

Even with all that said, the greatest effort in the entire FedRAMP manual controls process is usually made when creating an accurate inventory of your environment and authenticated scans for each of the applicable scan categories:

Avoid a pitfall here by providing copies of the authenticated (credentialed) and accurate (100% of the environment) initial scans (scan of record) and remediation scans for each type of scan listed above as soon as possible. (The exception is compliance scans—you only need scans of record for those.)

3. FedRAMP Penetration Test

In addition to interviews and evidence collection, there’s an additional aspect to your FedRAMP assessment—the required independent penetration test, which usually occurs in tandem with the aforementioned manual controls testing.

You and your team will need to engage and work with your 3PAO penetration testers who will perform the FedRAMP-required penetration test that includes up to six pre-defined attack vectors. For more details on the penetration test, check our breakdown of FedRAMP’s new pen test guidance.

Moving Forward with Your FedRAMP Assessment

Organizations are all built differently, but on a general level, you can expect your FedRAMP assessment to involve a combination of the following personnel:

  • Security team;
  • IT staff;
  • Legal team;
  • Administrative staff;
  • IR team;
  • CP team; and
  • **Privacy Team

Along with these interviews, you’ll need to do extensive vulnerability management with different types of scans and penetration testing. Bottom line, there’s significant time, effort, cost, and energy that you’ll need to invest if you want to get FedRAMP ATO.

To further support your preparation for this intense “workout,” read our other content that can provide more insight and make your experience that much easier:

Share this content on your favorite social network today!