Complete FedRAMP Advisory – Remediate & Document

  • Already know their gaps (e.g., “what” is missing) but need help figuring out the best solutions (e.g., “how” to address the requirements)
  • Need a SME resource available for “as needed” consultation
  • Need help implementing controls or preparing required documentation
  • Seeking an advisor who is experienced in leveraging the advantages of using pre-authorized platforms and services
  • Guide and support IT engineering efforts to remediate FedRAMP gaps and prepare a complete FedRAMP documentation package that meets all PMO, Agency and 3PAO requirements

  • Detailed control implementation descriptions (for SSP) for controls that are newly implemented
  • Complete FedRAMP package ready for review by AO and 3PAO assessor
  • System Security Plan (system components and boundaries, data flow, system interconnections, and control implementations)
  • Configuration Management Plan, Incident Response Plan, Contingency Plan, and other required attachments
  • Initial POA&M
  • Policies and Procedures
  • Continuous Monitoring Plan

Details

  • Provide real-time direction and guidance during the remediation engineering phase as new controls and toolsets are implemented
  • Provide input and direction as questions arise while new tools and processes are deployed
  • Collaborate with the engineering team as needed to ensure that FedRAMP control requirements are addressed
  • Validate adequacy of technical implementations of new/fixed controls
  • Leverage existing documentation and interview personnel for required information, and create a complete CSP documentation package for FedRAMP
  • Evaluate all available documentation to determine what can be leveraged for FedRAMP
  • Review existing “plans” (contingency, incident response, config mgmt., etc.) to determine what can be leveraged
  • Document or revise SSP and required attachments (including “plans”)
  • Collaborate with client personnel to ensure system diagrams and data flows for the SSP are correct
  • Modify control implementation statements as needed to correctly describe controls and reflect all remediation activities
  • Document initial POA&M for control gaps and vulnerabilities
  • Create continuous monitoring plan
  • Optional: Provide hands-on implementation of tools and security engineering
Back