SOC 2 & FedRAMP – Why Fortreum is different
Audit time. It’s one of the most dreaded times of the year (or multiple times per year) for a security manager/CISO/administrator, etc. Is it because of the auditor? I’d like to hope not (at least for us)! Most often, it is TIME itself that is dreaded for assessments, and what is dreaded even more so is when there are multiple assessments running at the same time. How do cloud service providers move towards consolidated assessments (such as SOC 2 and FedRAMP) while preserving internal time and impact?
Those multiple assessments leave internal teams dealing with multiple questions, multiple visits, significant internal disruption across the organization and sometimes even multiple auditors. This leads to duplication in questions, walkthroughs, and \evidence gathering. Many audit firms have attempted to tackle this problem by promoting “consolidated audits”. But when you peel back the layers of what that means, it’s just different teams asking a bunch of questions, sometimes still repeating, getting multiple rounds of evidence, and often confusing the client because the client thinks they’ve provided what is being asked, but what’s often happening is that the internal audit teams are not communicating with one another.
That’s where Fortreum is different. We combine our efforts to make the assessment process easier for everyone involved. We take our years of expertise in the various frameworks we have become experts in and use that knowledge to understand how to maximize the efforts of our team members.
FedRAMP as the baseline
It is our belief that FedRAMP (using NIST 800-53) is one of the strongest benchmarks that our clients can use for their policies, procedures, and controls for their systems and environments. It also provides excellent guidance for the auditor on how to perform the assessment (NIST 800-53a). Templates that are provided (via FedRAMP.gov) for things like the System Security Plan (SSP) provide an outstanding source of information that can also be used for a framework like SOC 2. If a client is already going through a rigorous process like FedRAMP, why should they have to re-create everything just because they are also undergoing a SOC 2 audit?
With an SSP for FedRAMP, you will describe a lot of detail about the system in Sections 1-12. Things like the system components and boundaries, system function, network architecture, system environment and inventory, and interconnections are all areas of the SSP that can translate into various areas of the description criteria (DC-200) that are required for a system description (often section 3) of a SOC 2 report.
When it comes to the controls themselves, the SSP also contains a lot of the information that can be used for SOC 2 reporting. The implementation statements are essentially the controls that meet the stated requirements of FedRAMP. Those controls can also be applied to related criteria in SOC 2.
For testing, FedRAMP assessors document their testing using the interview, examine, or test methods (as explained in NIST 800-53a) in a Security Requirements Traceability Matrix (SRTM) that explains what they did, who they interviewed, the results of their testing, etc. That testing can be re-used for SOC 2 workpapers as well (and shown in the “service auditors tests” area of section 4 of the SOC 2 report).
That doesn’t mean that everything in FedRAMP translates to SOC 2 and vice versa. FedRAMP has A LOT of required information that you won’t need in SOC 2. FedRAMP dives deep. SOC 2 is a reporting framework (not a compliance framework), so there is not a need or requirement to go that deep in the controls. Many of the high-level principles and “bigger” controls from FedRAMP will translate, but many of the enhancements aren’t necessary.
On the flipside, SOC 2 requires information that FedRAMP does not cover. Most of those lie in the organizational/management oversight of the organization. SOC 2 will require board of director oversight (along with board charter and meeting evidence for the auditor), which FedRAMP does not. SOC 2 discusses performance evaluations, which is absent from FedRAMP. SOC also requires greater sample sizes due to the period of time that is being evaluated in a typical SOC 2 Type 2 engagement. SOC 2 also uses statistical sampling methods, which in turn leads to larger sample sizes to satisfy the requirements.
So, while there are many similarities in the two frameworks, each will require some additional framework-specific effort in order to complete the engagement.
Our personnel understand FedRAMP and SOC and how they work with one another better than anyone. Our teams are trained in multiple frameworks and what are the key elements needed to reuse information. Our assessors will take the high-water marks from each framework (whether it be the controls being evaluated, the tests themselves, or sample sizes) and design an audit program that consolidates everything to reduce impact on the client and their teams. We use that plan to gather the information we need, hitting those high-water marks, but then also taking that information and using it for any other framework we are performing on. Our method goes beyond consolidated; it really just is a single effort and team that produces multiple results.