FedRAMP 3PAO Assessment for Cloud Service Providers
Provide cloud services to government agencies with FedRAMP Certification
FedRAMP establishes process to provide secure and compliant cloud services to government agencies
As part of its “cloud first” policy established in 2010, the US government has formalized a set of regulations that Cloud Service Providers (CSP) must meet in order to do business with US government agencies. This initiative called FedRAMP is expected to save taxpayers an estimated $1.7 Billion in infrastructure costs.
FedRAMP (Federal Risk and Authorization Management Program) is a “do once, use many times” program which provides a common structure for assessing and sharing security results in the Federal Government. CSPs must be independently certified by a FedRAMP 3PAO - Third Party Assessment Organization - as part of FedRAMP. This will allow CSP’s to receive a provisional authority to operate (ATO) which can be leveraged by all Federal Agencies. The provisional ATO is issued by the FedRAMP Joint Authorization Board (JAB), an illustration of the governance entities from the FedRAMP ConOps report (Figure 2-2: FedRAMP Governance Entities) is below
Backed by years of experience in working with public, private, hybrid and government clouds for FISMA, PCI, GLBA and HIPAA/HITECH compliance assessments, our unique experience makes us a valuable partner in helping you in the FedRAMP process towards receiving an ATO with government agencies.
FedRAMP assessments are built from the requirements outlined by the Federal Information Systems Management Act (FISMA) and the NIST 800-53r3 controls. You can read more about the differences between FISMA and FedRAMP (PDF) assessments from our perspective. The FedRAMP assessment process covers four main steps, each requiring JAB approval prior to moving on to the next step. Below you will find an illustration as provided by the FedRAMP ConOps Report (Figure 6-1: Security Assessment High Level Overview) (PDF)
Coalfire will guide you and your FedRAMP appointed Information System Security Officer (ISSO) through this process, taking into account unique consideration that cloud and virtualization environments will pose. Keep in mind resubmissions for approval of each step of the process are limited to two.
How Can We Help You with your FedRAMP Needs?
As an authorized 3PAO, Coalfire can help with providing advisory services or assessment services. In order to assure our independence as a 3PAO, Coalfire can provide advisory or assessment, but not both to the same organization.
Advisory: As an advisor we can assist CSP’s and federal agencies with understanding the requirements, impacts to their business/agencies, and best practice approaches to getting FedRAMP certified or leveraging FedRAMP approved CSP’s.
Assessment: For CSP’s interested in becoming an approved FedRAMP provider, Coalfire as a 3PAO can conduct an independent assessment for submission as an approved CSP.
If you are interested in getting more information from Coalfire please provide a brief description of how we can help you with your request and how to contact you.