By Connor Payne Inherited controls from a cloud service provider such as Amazon Web Services (AWS) or Microsoft Azure include physical and environmental controls that a customer fully inherits from the provider. In general terms, shared responsibility means that the cloud service provider is responsible for the security of the cloud while the customer is [...]
By Greg Kent, Senior Vice President, CTO FedRAMP has control baselines for low, moderate, and high impact systems. The appropriate baseline, and therefore the particular control requirements that apply, depend on the system impact level or categorization. The FedRAMP impact level or categorization of a system is determined by formal process defined by FIPS Publication [...]
By Greg Kent Fall will be here before you know it, so now is a good time for DoD contractors to review their business development and contract strategy for the coming year. With CMMC being required for bidding on new contracts towards the end of 2020, there are big changes on the horizon. Once the [...]
Compliance with the Cybersecurity Maturity Model Certification (CMMC) program requires DoD contractors to undergo cybersecurity audit and certification, beginning in 2020/2021. Based on NIST 800-171 controls, the CMMC will be a single standard for all DoD contracts. Previous regulations for DoD contractors handling controlled unclassified information (CUI) allowed for self-certification of compliance with appropriate NIST 800-171 [...]
By Jamie Graf CSPs providing Low-Impact Software-as-a-Service (LI-SaaS) products can take advantage of a FedRAMP Tailored authorization for a streamlined approach to compliance. The FedRAMP Tailored authorization is for low-risk applications such as collaboration tools, project management applications, and tools that help develop open-source code. FedRAMP Tailored was designed to make low-risk applications available to [...]
By David Trout In a recent report published by the GAO, it was found that “from June 2017 to July 2019, the number of authorizations granted through FedRAMP by the 24 agencies increased from 390 to 926, a 137 percent increase.” Although it was found that some agencies did not consistently use FedRAMP-authorized cloud services, the data [...]
Compliance with the Cybersecurity Maturity Model Certification (CMMC) program requires DoD contractors to undergo cybersecurity audit and certification, beginning mid 2020. CMMC will be a single standard for all DoD contracts that considers the security control and the institutionalization of cyber processes across a contractor's enterprise assets including development environments for mission systems. Previous regulations [...]
By Corey Clements “The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” FedRAMP could be described as an assessment. Therefore, a pre-assessment before the assessment might be considered redundant and unnecessary. But the reality [...]
By Corey Clements In my recent post, “Look before You Leap: The Value of FedRAMP Pre-Assessment,” I compared earning FedRAMP authorization to climbing Mt. Everest. Both require the assistance of an experienced guide, in addition to independent preparation. While I enjoy hiking, I’ve never attempted to summit Mt. Everest. (The 2015 film by Icelandic director [...]
By Jamie Graf What is a RAR? A FedRAMP Readiness Assessment Report (RAR) demonstrates a cloud service provider’s (CSP) capability to meet FedRAMP security requirements, and that they are ready to begin the FedRAMP authorization process. The RAR describes the CSP’s security and organizational processes, focusing on key capabilities rather than documentation. It is designed [...]
