XRAMP – Security Assessments Evolved

Point in time security assessments have been around a long time. Do they provide the level of assurance that business, downstream customers, and the government expects? Is it enough in the digital world that is constantly evolving? The concept of continuous assurance isn’t new, but limited progress has been made in terms of the way we manage risk. This traditional assessment model will not change overnight, but there absolutely has to be a better to way improve it.

SOC 2 & FedRAMP – Why Fortreum is different

Audit time. It’s one of the most dreaded times of the year (or multiple times per year) for a security manager/CISO/administrator, etc. Is it because of the auditor? I’d like to hope not (at least for us)! Most often, it is TIME itself that is dreaded for assessments, and what is dreaded even more so is when there are multiple assessments running at the same time. How do cloud service providers move towards consolidated assessments (such as SOC 2 and FedRAMP) while preserving internal time and impact?

CVSS Scoring & FedRAMP – What You Need to Know?

Commercial cloud service providers (CSPs) are responsible for maintaining a similar risk profile to the risks identified within their most recent Security Assessment Report (SAR). CSPs submit continuous monitoring deliverables each month for review by the FedRAMP PMO and their sponsoring agency or the Joint Authorization Board (JAB). These deliverables include a Plan of Action & Milestones (POA&M) and a Deviation Request (DR) list. FedRAMP Vulnerability Scanning Guidance from March 2018 requires that the vulnerabilities listed on these documents use the CVSSv3 calculation, when available, to determine a risk rating.

Contact us to discuss your cyber and cloud business needs. We’re happy to share our insights and work with you as your business evolves.