This post was originally published in August of 2016 and is updated with additional information provided by David Clevenger, Director, Commercial Support Services.
As part of the FedRAMP Accelerated process, cloud service providers (CSPs) can now complete a Readiness Assessment Report (RAR) to demonstrate their readiness for the FedRAMP process. The RAR is required for CSPs pursuing the FedRAMP JAB approval route. CSPs should also consider having a Readiness Assessment if they are pursuing the Agency approval route, where the RAR is not required, in order to provide assurances of the security posture for their solution.
FedRAMP Director Matt Goodrich wrote in an Aug. 9 blog post announcing the new template: “CSPs whose RAR is approved by the FedRAMP PMO are deemed “FedRAMP Ready” in the FedRAMP marketplace,” Achieving this designation indicates that a CSP is likely to attain a Provisional Authorization to Operate (P-ATO) via the Joint Authorization Board (JAB) or an Authorization to Operate (ATO) by an Agency; however, the final assessment and full granting of the P-ATO or ATO has not been attained. The RAR formalizes the "pre-audit" methodology that third party assessment organizations (3PAO), like Coalfire, will conduct in order to have CSPs achieve FedRAMP compliance faster, and ensuring that federal agencies have rapid access to secure commercial cloud solutions.
What is it?
The Readiness Assessment Report is a technical review of a cloud service provider’s FedRAMP environment. The RAR will evaluate the CSP’s FedRAMP environment/boundary to determine if the environment is technically ready for testing. Some of the key aspects the RAR will evaluate is the encryption modules and multi-factor authentication capabilities. The RAR is required for CSPs undergoing a FedRAMP assessment through the Joint Authorization Board (JAB), but is optional for a CSP undergoing an Agency level FedRAMP assessment.
You can access the RAR template from FedRAMP.gov here: Readiness Assessment Report Template. The RAR template has an accredited FedRAMP 3PAO review a short list of critical controls and processes. Some of these areas are:
- Approved Cryptographic Modules
- Transport Layer Security
- Identification and Authentication, Authorization, and Access Control
- Audit, Alerting, Malware, and Incident Response
- Contingency Planning and Disaster Recovery
- Configuration and Risk Management
- Data Center Security
- Policies, Procedures, and Training
RAR for the JAB route
The RAR is required for this route and is to be performed by an accredited 3PAO and submitted to FedRAMP PMO for review and approval. Once the RAR is completed successfully the service is deemed “FedRAMP Ready”, the CSP is listed on the FedRAMP.gov website with that status, and then the 3PAO can begin their full 3PAO assessment. A CSP is not able to continue the FedRAMP JAB path without first being deemed ”FedRAMP Ready” by the FedRAMP PMO.
RAR for the Agency route
A CSP undergoing the Agency FedRAMP authorization path is not required to have a RAR performed, however Coalfire has noticed an increasing trend with Government agencies requesting that these assessments be performed to confirm the CSP’s commitment to security design and investment in appropriate security measures.
The best way to figure out if the Agency require a RAR is to simply ask. Let’s say the Agency says “no it’s not required.” Should you as a CSP do one anyway? The question you should ask yourself is “As a CSP working with an Agency that does not require a RAR, is it worth the investment?” In most cases, that answer is resounding Yes.
Most CSPs that have successfully navigated the FedRAMP program had one thing in common: a pre-audit. This pre-audit was typically performed either internally or by a 3PAO prior to this new FedRAMP Readiness Assessment Report process. The premise behind any pre-audit is to identify gaps with implementations and mis-alignments to FedRAMP requirements early. Now, a pre-audit would be the RAR. This is exactly the reason why the FedRAMP PMO has instituted the RAR process at the JAB level. The JAB wants to know in advance if the system will pass before everything is fully examined. Agencies are starting to see the value in knowing this information in advance, as it helps establish more realistic timelines for authorization and deployment.
Technical Requirements and Advantages of a Readiness Assessment
The RAR process instructs the 3PAO to examine the CSP FedRAMP environment from a technical perspective to ensure the environment is correctly configured to meet the FedRAMP technical requirements. Two examples are multifactor authentication (MFA) and cryptography. If a CSP does not have either MFA or cryptography correctly implemented, then the CSP will not pass a FedRAMP assessment. By having a RAR performed, the CSP will be able to understand the risks associated with their technical implementations without halting the full 3PAO assessment as they implement remediation. Following the RAR will allow the CSP to ensure three actions are occurring correctly:
- The FedRAMP CSP environment is meeting the technical FedRAMP requirements
- The CSP documentation is on-track. If the documentation needs corrections, the RAR will allow for early updates to occur before FedRAMP testing beings
- If a technical issue is noted, the CSP can correct the issue before the FedRAMP testing begins, saving them from potential delays on the back end
Coalfire worked closely with the FedRAMP Project Management office (PMO) to provide feedback during the RAR development. Our contributions helped assure that the new process would allow for faster evaluations while providing federal information security officers enough information to make risk based decisions.
Coalfire has conducted RAR for several leading CSPs and system integrators. Organizations considering FedRAMP should contact Coalfire’s FedRAMP team to further discuss the process, cost and timeline for FedRAMP.