The Realities of FedRAMP Continuous Monitoring and Penetration Testing Requirements
FedRAMP, the Federal Government’s program for security and risk management of commercial cloud providers is not a “one-and-done” certification but a continuous process of monitoring and testing. Immediately upon achieving an ATO you are in the continuous monitoring phase of your authorization and working through your Plan of Actions and Milestones (POA&M) and remaining in scheduled contact with your FedRAMP or Agency ISSO. As you collect risk in the system as a result of the working environment you are required to make sense of it, report it, prioritize it and remediate it.
This webinar will explore the requirements that CSPs must meet on monthly, quarterly and an annual basis including the annual assessment under FedRAMP. This is not just testing a small sample set of the controls to be tested and submitting quarterly scan results. The webinar will answer common questions, shed light on solutions for the complexities that continuous monitoring can present, dispel myths and discuss lessons learned for the continuous monitoring portion of FedRAMP along with the new Penetration Testing requirements.
We will dive into the nuances of topics that include:
- CSP selected controls and Agency or JAB approved for testing
- With environment changes and Rev 3 to Rev 4 changes, should I just do a full blown new assessment?
- How should the new penetration testing requirements and social engineering aspect be handled?
- How do I deal with a system change?
- The cadence of communication with the FedRAMP or Agency ISSO
This webinar requires registration. Please fill out the form to gain access.