Complete FedRAMP Advisory |
 |
Objective: Assess the current status of the FedRAMP program and control capabilities, identify all material gaps in the system boundary and provide a roadmap for moving forward
Buyer Requirements
- Seeking a FedRAMP advisory with proven effectiveness in achieving P-ATO, Agency ATO, and FedRAMP Tailored authorizations
- Generally familiar with FedRAMP and are committed to achieving FedRAMP authorization
- Read More…
Deliverables
- Issues with the proposed system boundary and out-of-boundary services
- Rating of alignment with respect to FedRAMP CSFs
- Read More…
Objective: Guide and support IT engineering efforts to remediate FedRAMP gaps and prepare a complete FedRAMP documentation package that meets all PMO, Agency and 3PAO requirements
Buyer Requirements
- Already know their gaps (e.g., “what” is missing) but need help figuring out the best solutions (e.g., “how” to address the requirements)
- Need a SME resource available for “as needed” consultation
- Read More…
Deliverables
- Detailed control implementation descriptions (for SSP) for controls that are newly implemented
- Complete FedRAMP package ready for review by AO and 3PAO assessor
- Read More…
Objective: Perform a final validation of FedRAMP documentation and controls to identify and fix problems before the official 3PAO assessment begins
Buyer Requirements
- Have implemented all controls and processes, especially the critical controls
- Have prepared a complete set of all required documentation
- Would like external validation before starting a 3PAO assessment
- Read More…
Deliverables
-
List of documentation gaps, control gaps and recommendations for priority remediations prior to assessment
- Read More…
Objective: To support CSPs and serve as a liaison between the CSP and 3PAO managing all interactions and follow-up communications between the two parties to achieve a positive assessment outcome. Communicate compensating controls and residual risks and advise on effective resolution strategies for identified gaps to expedite completion.
Buyer Requirements
- “Ready to go” for a formal 3PAO assessment but seek an experienced advisory to facilitate a smooth process and interactions through the assessment and a more successful assessment
- Read More…
Deliverables
- Team roles, responsibilities and readiness checklist for 3PAO interaction
- Read More…
Objective: Coordinate periodic activities including spot checks to ensure controls operation as required for FedRAMP continuous monitoring
Buyer Requirements
- Seeking guidance and support for establishing schedules, processes and procedures that protect and maintain FedRAMP authorization status
- Values having an external expert perform spot checks of controls that address FedRAMP continuous monitoring requirements
- Read More…
Deliverables
- Schedule of activities to be performed weekly, monthly, quarterly, etc.
- Periodic continuous monitoring procedures
- Read More…
Objective: Manage resolution of new vulnerabilities, weakness and compile reports that must be submitted monthly for review by authorizing officials
Buyer Requirements
- Seeking an expert to establish schedules, processes and procedures that protect and maintain FedRAMP authorization status
- Need an external expert to perform spot checks of controls that address FedRAMP continuous monitoring requirements
- Read More…
Deliverables
- Monthly submissions to Authorizing Official
- Updated POA&M, SSP, Plans, and other documents
- Read More…
Complete FedRAMP Advisory - Prepare - Plan
Objective and Buyer Requirements
- Seeks a FedRAMP advisory with proven effectiveness in achieving P-ATO, Agency ATO, and FedRAMP Tailored authorizations
- Familiar with FedRAMP and committed to achieving FedRAMP authorization but need answers to detailed questions
- Will be ready within 3-4 week to begin addressing gaps (either through internal teams or with an advisor)
- Uncertain if FedRAMP is even appropriate and need a cost estimate. Would like a rapid fit/feasibility assessment.
- Seeks an assessment of our current FedRAMP effort and control capabilities, identify all material gaps in the system boundary and provide a roadmap for moving forward
Deliverables
- Issues with the proposed system boundary and out-of-boundary services
- Rating of alignment with respect to FedRAMP CSFs
- Rating of achievement of key security capabilities
- Listing of control gaps related to key security capabilities
- Rating of overall “readiness” status
- High-level roadmap for moving forward
- Slides for management briefing
- Boundary gaps (including use of non-FedRAMPed external and corporate services)
- Control gaps for all in-scope controls with suggested remediation actions
- Control implementation descriptions (for SSP) for controls that are currently implemented
Complete FedRAMP Advisory - Prepare - Remediate & Document
Objective and Buyer Requirements
- Has already identified gaps (e.g., “what” is missing) but need help figuring out the best solutions (e.g., “how” to address the requirements)
- Requires an expert resource available for “as needed” consultation
- Needs help implementing controls or preparing required documentation
- Seeking an advisor who is experienced in leveraging the advantages of using pre-authorized platforms and services
- Requires guidance for internal IT engineering efforts to remediate FedRAMP gaps and prepare a complete FedRAMP documentation package that meets all PMO, Agency and 3PAO requirements
Deliverables
- Detailed control implementation descriptions (for SSP) for controls that are newly implemented
- Complete FedRAMP package ready for review by AO and 3PAO assessor
- System Security Plan (system components and boundaries, data flow, system interconnections, and control implementations)
- Configuration Management Plan, Incident Response Plan, Contingency Plan, and other required attachments
- Initial POA&M
- Policies and Procedures
- Continuous Monitoring Plan
Complete FedRAMP Advisory - Assess - Validate
Objective and Buyer Requirements
- Have implemented all controls and processes, especially the critical controls
- Have prepared a complete set of all required documentation
- Would like external validation before starting a 3PAO assessment
- Perform a final validation of FedRAMP documentation and controls to identify and fix problems before the official 3PAO assessment begins
Deliverables
- List of documentation gaps, control gaps and recommendations for priority remediations prior to assessment
Complete FedRAMP Advisory - Assess - Facilitate
Objective and Buyer Requirements
- “Ready to go” for a formal 3PAO assessment but seek an experienced advisory to facilitate a smooth process and interactions through the assessment and a more successful assessment
- Values an expert who is well versed in pre-authorized platforms with inherited controls
- Values having an experienced expert to quarterback meetings and advise on follow-up
- To serve as a liaison between the CSP and 3PAO managing all interactions and follow-up communications between the two parties to achieve a positive assessment outcome
Deliverables
- Team roles, responsibilities and readiness checklist for 3PAO interaction
- Request list mapping of 3PAO requests to actual artifacts provided
- Minutes of meetings and discussions with 3PAO
Complete FedRAMP Advisory - Pass - Respond And Resolve
Objective and Buyer Requirements
- Values an experienced advisory who can effectively communicate and respond to risks and issues that arise during the 3PAO assessment
- Seeking an expert partner who can detect concerns earlier and point to compensating policies, controls or procedures to successfully resolve issues and keep the assessment moving forward
- Support CSP in effectively communicating compensating controls and residual risks and advise on effective resolution strategies for identified gaps to expedite completion
Deliverables
- Email responses to 3PAO questions
- Documented closure for questions and issues raised by 3PAO
- Updated POA&M to account for any newly identified issues
Complete FedRAMP Advisory - Maintain - Monitor
Objective and Buyer Requirements
- Seeking guidance and support for establishing schedules, processes and procedures that protect and maintain FedRAMP authorization status
- Values having an external expert perform spot checks of controls that address FedRAMP continuous monitoring requirements
- Coordinate periodic activities including spot checks to ensure controls operation as required for FedRAMP continuous monitoring
Deliverables
- Schedule of activities to be performed weekly, monthly, quarterly, etc.
- Periodic continuous monitoring procedures
- Control selection worksheets for annual testing
Complete FedRAMP Advisory - Maintain - Report
Objective and Buyer Requirements
- Seeking an expert to establish schedules, processes and procedures that protect and maintain FedRAMP authorization status
- Need an external expert to perform spot checks of controls that address FedRAMP continuous monitoring requirements
- Needs assistance in compiling required reports and change forms
- Manage resolution of new vulnerabilities, weakness and compile reports that must be submitted monthly for review by authorizing officials
Deliverables
- Monthly submissions to Authorizing Official
- Updated POA&M, SSP, Plans, and other documents
- Significant change forms
Complete FedRAMP Advisory - Manage - Management
Objective and Buyer Requirements
- Needs an effective expert who can quarterback the FedRAMP initiative from start to finish
- Seeking an advisor who can work with existing resources or bring together proven external resources and technologies to drive a FedRAMP outcome with certainty
- Wants a FedRAMP project leader that translates the use of FedRAMP authorized platforms into faster results
- End-to-End project management for FedRAMP readiness activities including the implementation of an effective system of controls to quickly and effectively attain FedRAMP ATO or P-ATO
Deliverables
- Current project plan
- Periodic status reports with project obstacles
- Leadership briefing slides
- Daily/week project calls
- Daily/weekly action item and blocker emails
Objective: End-to-End project management for FedRAMP readiness activities including the implementation of an effective system of controls to quickly and effectively attain FedRAMP ATO or P-ATO
Buyer Requirements
-
Needs an effective expert who can quarterback the FedRAMP initiative from start to finish
-
Seeking an advisor who can work with existing resources or bring together proven external resources and technologies to drive a FedRAMP outcome with certainty
- Read More…
Deliverables
-
Current project plan
-
Periodic status reports with project obstacles
-
Leadership briefing slides
- Read More…