FedRAMP and PCI Assessment Similarities

white paper

Assessment Reuse Efforts and Impacts Between FedRAMP and PCI

FedRAMP and PCI Assessment Similarities

Private organizations and cloud service providers (CSPs) are required to abide by multiple federal and agencylevel requirements to ensure that a reasonable and acceptable level of security exists within the organizational boundary. Depending on the business function, there are more than 100 requirements to which these organizations must adhere, including, but not limited to, FedRAMP, Payment Card Industry (PCI), FISMA, and HIPAA. This paper focuses on the similarities between the FedRAMP and PCI requirements.

FedRAMP, the Federal Risk and Authorization Management Program, is an accreditation standard based on the National Institute of Standards and Technology (NIST) 800-53 document. CSPs are required to implement FedRAMP standards for the U.S. federal government to obtain an acceptable level of risk. This helps ensure that if a government entity utilizes the service, government data will remain secure.

The PCI Security Standards Council is an open global forum that develops, manages, provides education for, and builds awareness of the PCI Data Security Standard (PCI DSS). The PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data (CHD), and applies to all entities involved in payment card processing.

In this paper, we examine the similarities between FedRAMP and PCI requirements, and how an organization’s security protocols may be reused to meet required federal standards. Specifically, three key questions are examined:

  1. What are the FedRAMP and PCI requirements?
  2. What requirements, including testing and documentation, may be shared and/or exchanged between FedRAMP and PCI?
  3. What is the best strategic approach for an organization to successfully navigate the requirements of FedRAMP and PCI?

Based on this analysis, strategies for successfully navigating FedRAMP and PCI requirements are identified, and overlapping security protocols that are acceptable for proving and maintaining security are addressed.

This document requires registration. Please fill out the form to instantly receive access.