Not your traditional "assessment"
Many organizations will find that the work to obtain a FedRAMP authorization is nothing like any other “assessment” that they have done before. The work is based on NIST SP 800-53 Revision 4 for low, moderate and high impact systems, along with additional FedRAMP controls. The documentation is to be provided in FedRAMP required templates that sufficiently detail the system, controls and authorization boundaries (to name a few) in order for the government or authorizing agency to accept the risk of the system and grant the system authority to operate (aka ATO).
Additionally, the process has high-involvement from FedRAMP PMO or Agency ISSOs that oversee work to milestone project plans- this can incur increased timeline to completion based on additional work to be provided.
How Coalfire helps
Coalfire is a leading FedRAMP 3PAO. As one of the earliest organization’s granted 3PAO status, we have assessed CSPs resulting in FedRAMP JAB and Agency ATOs for FedRAMP and also provide Advisory services to other CSPs in the FedRAMP queue. Coalfire works with more than 30% of the current CSPs, as assessor or advisor, in-process for FedRAMP.
Due to the rigor of the FedRAMP experience, Coalfire has developed various services that CSPs have found beneficial to their pursuit of FedRAMP.
Workshop – One to two-day, on-site, discussion with you and your company stakeholders to discuss a FedRAMP initiative for your business, resulting in business justification and next steps.
Pre-Assessment – A quick 'gap' or inventory of your current environment and cloud system documentation. The deliverable is a high level roadmap of what the Client's next steps should be and level of effort to complete.
Advisory – Coalfire will advise on system architecture and documentation of the environment and can be contracted to produce a System Security Plan (SSP), Policies and Procedures and other system documentation.
Assessment - Coalfire can develop the security assessment plan (SAP), conduct the assessment, security testing, re-testing and Security Assessment report (SAR) creation and ultimate recommendation for authorization.