XRAMP – Security Assessments Evolved

Point in time security assessments have been around a long time. Do they provide the level of assurance that business, downstream customers, and the government expects? Is it enough in the digital world that is constantly evolving? The concept of continuous assurance isn’t new, but limited progress has been made in terms of the way we manage risk. This traditional assessment model will not change overnight, but there absolutely has to be a better to way improve it.

Table of Content

XRAMP – Security Assessments Evolved

Point in time security assessments have been around a long time. Do they provide the level of assurance that business, downstream customers, and the government expects? Is it enough in the digital world that is constantly evolving? The concept of continuous assurance isn’t new, but limited progress has been made in terms of the way we manage risk. This traditional assessment model will not change overnight, but there absolutely has to be a better to way improve it.  

Today, we’re happy to announce that we have launched a continuous testing framework, XRAMP, that is hyper focused on the FedRAMP authorization process (as a starting point) to normalize the way we conduct audits for cloud service providers.

We knew that improving this challenge required a well thought out blueprint, strong customer collaboration, governance buy-in/collaboration, and laser focus on a specific industry framework to get this off the ground.  We’re starting with FedRAMP, one of the highest cloud security standards in the marketplace.

The benefit to the CSP community is XRAMP normalizes workflows for the audit cycle, improves security assurance practices and accountability for all parties, and minimizes internal organizational impacts (through consolidation).

“Let us repeat again – XRAMP will normalize audit cycles, improve security assurance visibility and minimize organizational impact over time”

XRAMP – Overview

The XRAMP idea was conceived after years of conducting assessments, as well as being on the auditee side as a cloud service provider. Year over year, framework over framework, up/down – stop/start – how is it possible to better plan out your governance program and audit cycles? There had to be a better way to normalize audits as things just will not continue to scale.

How Does It Work?

Fortreum first seeks to understand your current baseline and regulatory strategic roadmap (12-36 months). Understanding your regulatory roadmap, current audit timelines, and authorization dates are key to blueprinting a plan that will optimize your current and future state authorization needs. 

Fortreum will work with your key stakeholders to align your FedRAMP audit and other compliance initiatives for the year into a consolidated audit work stream. We’ll take into account regulatory frameworks, authorization dates, timeliness of evidence, and future business needs for the year/outyears.

We will provide a dedicated XRAMP audit team to support your business needs with the extensible ability to add on services, significant change requests, continuous monitoring, penetration testing, and other/new frameworks (future state) as your needs arise. See the chart below on the FedRAMP Annual workflow….

Benefits

Our goal with XRAMP is to normalize the audit process by architecting an extensible framework and workflow process to support continuous auditing. This will provide Cloud Service Providers a more predictable audit workflow, which in turn should provide a higher security assurance level and reduce internal operations and engineering time. 

“XRAMP is the future – one that reduces audit fatigue on service and compliance teams”

You get a team of Subject Matter Experts (as a service), monthly and quarterly checkpoints, and a forecasted control set and roadmap for the authorization year. Please note, initial cloud systems must undergo an initial FedRAMP authorization prior to enrolling in XRAMP.

Summary

We believe XRAMP is going to change the way auditors and cloud service providers interact over time. The exponential growth of regulatory audits and expansive frameworks requires a blueprint to scale efficiently.  This offering can also be expanded into other frameworks such as SOC, HIPAA, 800-171, etc. 

If you’d like to learn more about this XRMAP offering, reach out to security experts at Fortreum to learn more.

Stay informed with our Industry Compliance Roadmaps, Technical Testing, Interviews and Resources to help you simplify cybersecurity and compliance.