Will information security policies and procedures documentation that has been validated by a CPA firm’s SOC 2 audit be sufficient for a FedRAMP assessment?

FedRAMP has 17 controls (i.e., the -1 control for each of the 17 control families) addressing policies and procedures. The policies and procedures have to be developed, documented, disseminated to the appropriate organizational personnel or roles, and periodically reviewed and updated. Specifically, policies and procedures need to meet the following criteria:

• Policies and procedures must be documented. Informal, verbal “procedures” are not acceptable for FedRAMP.
• Policies must provide broad level directives, rules, and practices that prescribe how the organization manages and protects information.
• The content of policies must contain at least the following sections: purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance (e.g., specifying an entity to oversee and monitor compliance as well as penalties for non-compliance).
• Procedures must facilitate the implementation of the policies by providing more detailed direction about the steps that personnel must follow to accomplish security-related tasks.
• The content of procedures must also facilitate implementation of the controls that are required per the relevant FedRAMP baseline. That means procedures must define step-by-step guidance for all the tasks required by the FedRAMP controls.
• Together, the policies and procedures must clearly indicate how the CSP has defined each of the organization-defined security control parameters.
• Both policies and procedures must be disseminated to particular personnel or roles, as determined by the organization (and documented in the SSP).
• Policies must be reviewed and updated at least every three years.
• Procedures must be reviewed and updated at least annually.

Usually, policies and procedures that were developed for other compliance frameworks like SOC 2 or ISO 270001 don’t provide sufficient coverage of the FedRAMP requirements. In other words, the existing policies and procedures generally don’t address all of the FedRAMP controls as required. To be acceptable for FedRAMP, the policies and (in particular) procedures from SOC or ISO typically need to be enhanced to address control requirements that are unique to FedRAMP. Enhancing these documents to address all of the security controls for all families in the FedRAMP baseline often entails a significant level of effort.

Fortunately, FedRAMP does not have specific requirements about the format or organizational structure of the policies and procedures. CSPs can aggregate all of the required content into a single document or maintain a series of individual documents. For ease of use, CSPs often organize their policies and procedures according to the families and control references of FedRAMP, but that is not required. Organizations can adopt any organizational scheme that makes sense to them. CSPs that use alternate organization schemes may find it useful to develop a crosswalk or mapping between their policies and procedures and FedRAMP families and controls. Such mappings can be extremely helpful in ensuring that all aspects of FedRAMP are sufficiently addressed by the policies and procedures and providing a useful tool for the 3PAO to use when testing the CSP’s compliance with the -1 controls during a FedRAMP assessment.