FedRAMP officials took a hard, critical look at their 4-year-old program last year to address a rash of concerns coming from industry stakeholders. The security world was troubled by the program’s lack of authorized cloud service provider options and lack of transparency. FedRAMP Director Matt Goodrich listed out the main points of feedback the group had received and promised to retool the initiative to better serve clients’ needs.
The revised and rebranded FedRAMP program has made several process changes designed to streamline authorizations. One of the changes that affects CSPs the most: the introduction of readiness assessment reports (RARs), to be completed with a 3PAO-certified assessor.
While this requirement for readiness assessment may speed up authorizations for prepared organizations, many CSPs are less than clear on what qualifies them as prepared. Specifically, they may not realize the requirements for FedRAMP Readiness Reviews are mandatory.
But they are.
On May 24, FedRAMP posted a clarification regarding this issue on their tips and cues blog, offering links to readiness assessment reports templates and explaining that CSPs are responsible for understanding the FedRAMP Ready requirements.
CSPs will, of course, want to read the RAR documentation in its entirety. However, FedRAMP outlines five major questions to assess FedRAMP preparedness:
- Are FIPS 140-2 Validated or National Security Agency (NSA)-Approved cryptographic modules consistently used where cryptography is required?
- Can the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?
- Is the system operating at the minimum eAuth level for its FIPS-199 designated level of operation (Level 3 for Moderate, Level 4 for High)?
- Is the CSP able to consistently remediate High vulnerabilities within 30 days and Moderate vulnerabilities within 90 days?
- Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements?
Any organization answering “no” to one or more of these core questions may need to restructure or re-engineer their systems to pass assessment standards. Those who can answer all questions in the affirmative, however, may be ready to work with a 3PAO on getting FedRAMP Ready.
Whether your organization needs help preparing for FedRAMP Readiness or you’re ready to bring in a 3PAO, Lunarline is prepared to help you get compliant. For information about us and the services we provide, contact one of our experts today.