The Federal Risk and Authorization Management Program (FedRAMP) Gap Assessment provides an overview of FedRAMP, identifies showstoppers and security control issues that will delay your progress. Take the first step to understand your next steps in a manageable FedRAMP Authorization process.
- Overview of the FedRAMP Program- including understanding FedRAMP Connect, the stages of FedRAMP Ready, In-process, and Authorized and the role of Third Party Assessment Organizations (3PAO).
- Quick-hit process to identify roadblocks that could prevent a FedRAMP authorization
- Boundary review and validation
- Initial review of the implementation status for each security control in the pre-defined baseline
- Overall cost-effective way to obtain a FedRAMP roadmap for authorization
FedRAMP is a detail oriented and nuanced process. Preparing your environment for assessment is something that your team may not be prepared for. Fortreum can step-in and help you execute a program to develop the necessary artifacts for FedRAMP assessments.
- Preparation activities to identify gaps and implement remediation actions
- Develop FedRAMP security package, including:
- System Security Plan
- Contingency Plan
- Configuration Management Plan
- Incident Response Plan
- Additional boundary review and validation throughout the package development process
- Turn-key program development to ensure cloud service offering is ready for a 3PAO to assess it
Assess your organization’s cloud service against the FedRAMP requirements with the most experienced 3PAO assessors.
- Comprehensive independent assessment of the defined boundary for the cloud service offering
- Assessment consists of the following activities:
- Security Assessment Plan
- Control Assessment (based on the FedRAMP baseline)
- Vulnerability Scans (operating systems, web applications, network devices, and databases)
- Penetration Test
- Security Assessment Report
- Assessment results are then used to make an authorization recommendation to the authorizing official
- Testing is much more granular to ensure all system components are properly tested
FedRAMP does not stop with a successful assessment and authorization. Requirements for continuous monitoring are in place to maintain authorization and ensure the security posture of the system which Fortreum can help you meet.
- Process for maintaining the authorization once the authorization has been granted
- Includes various weekly, monthly, quarterly, and annual checkpoints
- Control assessments and penetration tests to be performed annually or more frequently if introducing a significant change request
- Vulnerability scans to be performed monthly, with reporting provided to the FedRAMP PMO each month based on the results of those scans
- Requires meticulous oversight and proper staffing levels to ensure the security posture of the offering is not negatively impacted over time