XRAMP – Security Assessments Evolved

Point in time security assessments have been around a long time. Do they provide the level of assurance that business, downstream customers, and the government expects? Is it enough in the digital world that is constantly evolving? The concept of continuous assurance isn’t new, but limited progress has been made in terms of the way we manage risk. This traditional assessment model will not change overnight, but there absolutely has to be a better to way improve it.

Breaking Out and Breaking In

Transitioning from a career in law enforcement to one in cybersecurity was, on paper, a relatively short journey, lasting some 18 months of graduate school while pursuing a master’s degree in Cybersecurity Technology.

StateRAMP Fundamentals & StateRAMP Fast Track

StateRAMP is a non-profit organization that launched in early 2021 with the goal of providing a standardized approach to cloud cybersecurity authorization for State and Local governments. You might ask, why create another governing body when a proven framework for the federal government like FedRAMP exists? We get it, each industry and governing body needs to be a special snowflake. Before we jump to conclusions, let’s dive into the StateRAMP program to see if cloud service providers (CSP) should be paying attention for future business opportunity.

SOC 2 & FedRAMP – Why Fortreum is different

Audit time. It’s one of the most dreaded times of the year (or multiple times per year) for a security manager/CISO/administrator, etc. Is it because of the auditor? I’d like to hope not (at least for us)! Most often, it is TIME itself that is dreaded for assessments, and what is dreaded even more so is when there are multiple assessments running at the same time. How do cloud service providers move towards consolidated assessments (such as SOC 2 and FedRAMP) while preserving internal time and impact?

CVSS Scoring & FedRAMP – What You Need to Know?

Commercial cloud service providers (CSPs) are responsible for maintaining a similar risk profile to the risks identified within their most recent Security Assessment Report (SAR). CSPs submit continuous monitoring deliverables each month for review by the FedRAMP PMO and their sponsoring agency or the Joint Authorization Board (JAB). These deliverables include a Plan of Action & Milestones (POA&M) and a Deviation Request (DR) list. FedRAMP Vulnerability Scanning Guidance from March 2018 requires that the vulnerabilities listed on these documents use the CVSSv3 calculation, when available, to determine a risk rating.

Contact us to discuss your cyber and cloud business needs. We’re happy to share our insights and work with you as your business evolves.