Everyone loves a top 10 list. However, this list probably won’t be as entertaining as one of David Letterman’s – unless you’re a cloud service provider (CSP) prepping for a FedRAMP assessment.
There’s a lot a CSP can do to prepare for a FedRAMP assessment, but what are the most important things? What should you do first? Let’s count ‘em down.
10. Be hospitable.
Let visitors know if coffee and refreshments are available at the offices. Advise the key stakeholders and 3PAO if there are transportation, traffic, parking, or lodging challenges in the area. Discuss how meals (lunch and/or dinner) will be handled during the assessment.
9. Don’t overcomplicate the process.
FedRAMP is not designed to be complex. In simple terms, FedRAMP requires a CSP to document their security status, arrange for an outside entity to validate the statements, have the government review the risks and continuously maintain the system security status. Instead of getting frustrated with the FedRAMP process, a CSP should focus its energy on effectively documenting and implementing its security controls.
The FedRAMP security controls can be daunting. There are a ton of requirements and pages and page of text that describe best practices for protecting the confidentiality, integrity and availably of information. Neither the project management office (PMO) nor 3PAO want a CSP to struggle to meet the FedRAMP guidelines. It’s reasonable to mark a control a “Planned” until the concept is fully understood. If the CSP needs additional support, we recommend contacting the PMO or a 3PAO for assistance.
8. Be Realistic with the schedule.
While FedRAMP isn’t suppose to be complicated, the task of complying with the security controls is not a quick process. Even the most experienced cloud security architect would not be able to document and integrate all the requirements overnight. The FedRAMP schedule should align to the readiness of the CSP to comply with the security controls.
Business requirements can interrupt or change security schedules. It is imperative that the CSP balance business needs versus the return on investment of rushing through FedRAMP. A tabletop review of the controls can help with initial scheduling.
7. Conduct an initial, cursory, high-level control review.
In order to establish a realistic schedule, the CSP is encouraged to conduct an initial, cursory, high-level tabletop review of the security controls. The review should consist primarily of interviews of key security stakeholders associated with each control families described in the FedRAMP System Security Plan. The output of the review should include the current status of the control, the name and/or title of the staff member(s) responsible for implementing the control, and an initial observation of the control status. Once the high level review is complete, the FedRAMP program manager should have a better understanding of the time and resources that will be required to complete the FedRAMP assessment.
6. Verify your team’s readiness.
Ensure key security stakeholders are fully prepared for the assessment. Verify that training, vacations or system operations do not interfere with the project schedule. Also, verify that the roles and responsibilities identified in the system security plan accurately reflect the individual(s) responsible for implementing the controls. Finally, verify the personnel listed are aware that they have been designated to implement the controls.
5. Ensure traceability.
Ensure every control implementation statement within the system security plan is explicitly traceable to a policy, process, procedure or security role within the CSP’s organization. For system design and architecture requirements, there should be clearly defined steps that allow the CSP to reproduce the control objectives that are traceable to the technical security controls.
This step can take weeks or months to accomplish. So we recommend that the availability of the artifacts be taken into account when developing the FedRAMP schedule.
4. Be prepared.
A CSP needs to ensure that all artifacts, systems, applications and personnel associated with FedRAMP are ready for the assessment. Store the artifacts in a single location that will allow the CSP and 3PAO to easily exchange information. Use file names that make it easy to trace the artifact to a security control. Verify that the 3PAO will have network access to the systems and applications. Confirm that office space has been reserved for the 3PAO’s visit. Confirm that CSP staff members are available for the kickoff meeting to listen to the 3PAO’s brief. Finally, ensure that asset lists contain the information required of the FedRAMP templates, including hostname, IP address, function, software and version number.
3. Conduct a comprehensive internal review.
Prior to the 3PAO’s arrival, the CSP should conduct a comprehensive internal review of the system security plan, supporting artifacts, system configuration, scan results and personnel readiness against the FedRAMP Security Assessment Test Cases. Document the results in a manner that allows the responses to be easily presented to the 3PAO during the formal assessment. The goal is for the internal control review to be more challenging than the formal 3PAO assessment.
2. Be transparent.
Being transparent and providing direct accurate information allows the CSP and assessor to focus on validating the information in the CSP’s system security plan – rather than identifying vulnerabilities, threats and weaknesses that the CSP withheld from the discussion.
FedRAMP is not an interrogation. A CSP can mark security controls as “Partially Implemented” or “Planned” within the system security plan. There is no FedRAMP requirement that every control be fully implemented. The CSP doesn’t need to be perfect. It’s ok to have known weaknesses during the assessment.
1. Stay focused on risk management.
With an accurate system security plan, a CSP should remain vigilant in ensuring the control implementation statements within the plan are 100% accurate. Any partially implemented or planned controls should be tracked within a plan of action and milestones or similar document. Safeguards integrated into the system to reduce the overall level of risk should also be clearly described. Ultimately, the CSP should strive to ensure there are no risks that would prevent the government from accepting the risk of using the CSP.
Focus on risk management – not perfection.