Complete FedRAMP Advisory – Plan

  • Seeking a FedRAMP advisory with proven effectiveness in achieving P-ATO, Agency ATO, and FedRAMP Tailored authorizations
  • Generally familiar with FedRAMP and are committed to achieving FedRAMP authorization
  • Will be ready within 3-4 week to begin addressing gaps (either through internal teams or with an advisor)
  • Uncertain if FedRAMP is even appropriate and need a cost estimate? Buy our Quick-Assess service.
  • Assess the current status of the FedRAMP program and control capabilities, identify all material gaps in the system boundary and provide a roadmap for moving forward

  • Issues with the proposed system boundary and out-of-boundary services
  • Rating of alignment with respect to FedRAMP CSFs
  • Rating of achievement of key security capabilities
  • Listing of control gaps related to key security capabilities
  • Rating of overall “readiness” status
  • High-level roadmap for moving forward
  • Slides for management briefing
  • Boundary gaps (including use of non-FedRAMPed external and corporate services)
  • Control gaps for all in-scope controls with suggested remediation actions
  • Control implementation descriptions (for SSP) for controls that are currently implemented

Details

  • Perform interviews of system SMEs, review system documentation, and (as needed for clarity) inspect other system information
  • Review the current state of the FedRAMP program and target dates
  • Assess the make-up and knowledge of the FedRAMP project team (e.g., NIST controls)
  • Assess the proposed system boundary and use of out-of-boundary services
  • Understand government clients and the potential authorization path
  • Explore leveraging of FedRAMP PaaS/IaaS
  • Assess against FedRAMP critical success factors (CSFs)
  • Assess the system’s capabilities against critical key and showstopper security controls (per the RAR template)
  • Spot-check current system/process documentation against FedRAMP required templates inspect configs and artifacts
  • Validate the system boundary for completeness/accuracy
  • Inspect configs and artifacts
  • Review every control requirement with technical teams
  • Assess all technical controls at all layers of the stack and all control processes (e.g., awareness and training, etc.)
  • Document control implementation statements that describe how controls are implemented
  • Refine, revise, or re-design controls and processes to meet requirements
  • Identify gaps in the design and implementation of controls
  • Discuss alternative solutions for gaps and collaborate to determine “best” fit recommendations
  • Recommend solutions for missing capabilities
  • Option: Perform pen testing of web app
  • Option: Quick Assessment for companies that want more background before committing to FedRAMP
Back