The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

FedRAMP PMO - FedRAMP Process and Developing SSP webinar Q&A

January 16, 2013, Tom McAndrew, EVP Commercial Services, Coalfire

Bookmark and Share

Tom McAndrew The FedRAMP program continues to gain momentum and GSA and the FedRAMP PMO conduct great, interactive, webinars available to attend live or to watch later. There is much to learn from the GSA on how to navigate the FedRAMP process according to their requirements.

The GSA put on two webinars late last year covering the FedRAMP Security Authorization Process and Developing your System Security Plan. I encourage you to watch these webinars in their entirety, by clicking the links above and to register for future GSA FedRAMP webinars.

The Q&A sessions of these webinars always present great insight to the situations many CSPs may be going through as the learn how to adopt federal requirements. We have provided some of the Q&As from these past two webinars and provided them below. The GSA provides a text transcription of the webinars, but the automated transcription garbles the output of the sentence or answer- so we have provided human reviewed Qs & As here.

Again, be sure to sign up for future GSA webinars on the FedRAMP process by signing up here.

Please find a reproduction of the Q&A segments from the November FedRAMP PMO webinars below:

FedRAMP Security Authorization Process

Q: Does the 3PAO need to review the agency and CSP documentation before approval?
A: It's not a requirement. However, it would be difficult to imagine how the 3PAO could do a true assessment without at least being familiar with SSP and all of the other documentation that is required. So while it's not a -- it's not a requirement, it probably is a good practice.

Q: Are there any overlaps between this certification and FISMA?
A: As Katie mentioned, FISMA is the law that all security authorizations across the government. NIST provides the guidance for implementing FISMA at your agency.   FedRAMP is based on that NIST guidance, on FISMA compliance. So if you are FedRAMP compliant, you are FISNA compliant.

Q: Is there a check list on
A: Yes. Both in the understanding FedRAMP and I believe in some of the templates. So certainly go to Look at understanding FedRAMP. I believe there are several check lists there.

Q: Does this apply to internal cloud services run within agencies, private clouds? How about for clouds run at federal labs operated by a contractor?
A: There is no delineation between public and private clouds or deployment models. This applies equally to private and public infrastructure platforms and software.

Q: I already have an approved ATO from a federal agency, using the agency's SSP template with all of the FedRAMP controls; do I need to rewrite my entire security authorization package in the FedRAMP templates? If so, why?
A: The mandatory templates for FedRAMP were discussed in the previous webinar, the SSP, the SAP and the SAR.  However, if you meet the FedRAMP requirements, please discuss with the agency and FedRAMP-- please apply to FedRAMP, and we will describe how you can effectively update to those mandatory templates. It can be a POE&M item or we can do it under a certain amount of time frame, but it does eventually have to be in those mandatory templates, but it's only for the SST, the staff, and the SAR, not all of the supporting documents.

Q: Slide 5 indicated that CSP is responsible for the continuous monitor of security control. How will the agency receive reasonable assurances that the monitoring activities are conducted and the quality of the monitoring?
A: Well, as is the case now, CSPs, or vendors of most installed software packages must do periodic reporting on their monitoring activities. So we will continue to follow the guidance of CHS on how continuous monitor is to take place, and we have details in our continuous monitoring strategy and guidance on, but it is up to the CSP to provide the report, and up to the agency to assess its quality and completeness.

Q: We are a software vendor with a hosting partner. Can we apply for the FedRAMP certification, or is this only available to the CSPs?
A: Software service providers can apply for FedRAMP authorizations. However, authorizations have to begin at the infrastructure level. So you can't confirm come in as a software provider without having your infrastructure provider being authorized. So you would have to come in together in order to do all of that.

Q: This is required for cloud computing, for federal government by when? Is it available now?
A: I'm assuming you’re talking about participation in the FedRAMP program. The answer is yes, the requirement was established in a memo issued by OMB on December 8th, 2011. You can get that, a copy of that memo, on There are two stages of requirements. All new instances of federal cloud computing services must meet FedRAMP security requirements as they get an ATO. If the application is already installed, FedRAMP requirements must be met by June 2014.

Developing Your System Security Plan

Q: Is the level of data protection that a CSP system can protect determined by the 3PAO? If so, how is that determined by the 3PAO since NIST provides the recommended FIPS categorization based on data types.

A: The level of data protection that a CSP system can protect is determined by the CSP and verified by the 3PAO.
Q: How should all the documentation be submitted to FedRAMP to maintain its confidentiality? 
A: FedRAMP has a secure repository called OMB Max and its hosted by the executive office of the president and is a digital repository that has access controls in the proper level security to maintain confidentiality and security of all documentation provided by CSP’s to the federal government.  When vendors begin working with FedRAMP they will be provided access to this repository and all control to that repository is controlled by the FedRAMP PMO.

Q: When talking about a hybrid control between the JAB CSP and the agency, how is the portion of the control belonging to the agency monitored, tracked and verified? 
A: The responsibility that belongs to the agency specifically for their own internal responsibility. The CSP is not required to track or monitor how that portion of the control is being implemented by the agency.
Q: Is there a completed SSP that we can review?
A: No, there is not right now.  For confidentiality reasons, we would not reveal a SSP submitted to us by one cloud service provider to anybody else. I think that is the reason that the template is so detailed so that it will allow completeness of the information we need without having to look at an example.

Q: Is there a FedRAMP form available?
A:If you are asking if there some sort of special interest group around FedRAMP, the answer is no, not yet, but for confidentiality reasons we have not revealed who all the applicants are to the program, both from CSP’s. There is a special interest group that the third-party assessors have formed, but for cloud service providers right now there is not one. We would be interested in such a thing, but right now are focus is on getting our applicants educated and granting an ATO to CSP’s.

Q: Should the dataflow only focus on boundary related events or do you want internal dataflow information as well? 
A: You need to focus on both internal and boundary related events in your dataflow.

Q: Does the 3PAO have any role in the process or is the 3PAO only engaged to review the SSP?
A: The third part assessor is only engaged to review the SSP to create the SAP and do the testing. The 3PAO cannot be engaged to create SSP.  That is a very important point. The 3PAO must retain their independence and must be able to review documentation and tests without participating in the creation of those documents.  You can hire a 3PAO to create your SSP or to assist you in creating your SSP. Many CSP's have found that to be very helpful. However, if the 3PAO creates your SSP, the 3PAO cannot be the same that tests against that SSP. You must then hire two different 3PAO’s.

Q: In a cloud implementation software components will move from physical host to physical host, how is this described in section 8-9 of the SSP? 
A: This is where you describe how your live migration strategy works and in the guide to understanding FedRAMP  there is a section that will help you figure out how to describe your live migration strategy and what are the kinds of things that we are looking for in that description.

Q: Can you confirm that all cloud services, even those provided by government agencies to another government agency are subject to FedRAMP ? 
A: Yes, All cloud services, whether commercial or government or platform software infrastructure are all subject to FedRAMP.  This is documented in a memo that was released by OMB on December 8 of 2011. That memo and its text are available on
Q: Does it still follow the high watermark for low, high and moderate classification?
A: So, right now FedRAMP is not processing any high sensitivity systems. That is not something that we should ever see that has been sent in right now.

Q: Can agencies use a cloud provider that has not gone through the JAB for approval? 
A: Yes. For more details on how cloud service providers and agencies can use FedRAMP at different varying levels of authorization, you can review the first webinar that we had which is available for viewing on as well as

Q: At my agency they want to define everything as a cloud. Is there a good way to validate that a system is a cloud before going through the FedRAMP process? 
A: One thing that you can always refer to is the NIST cloud reference architecture. Generally speaking cloud systems have the ability to expand rapidly on-demand. Think of it as buying your services like an accordion and when you need them, your resources expand out, you get more disk space, you get more memory and when you do not need them, it contracts. Another thing that is typically common to a cloud is that live migrations are occurring behind the scenes, meaning data can move around from place to place, different storage places, different host, unbeknownst to you though it is still usable to you just the way you would normally expect it to be. You should check out the NIST cloud computing architecture for framework within you can determine if your system is a cloud or not.
Q: How does FedRAMP view existing third-party audits such as Web Trust under the trust services principle of security, integrity and availability as well as PCI DSS certification as a service level one provider?

A: FedRAMP views them positively however, FedRAMP requires that you must test according to the FISMA requirements and you can leverage documentation in terms of creating your SSP, but when it comes to testing, you must test in accordance with the FISMA requirements of the test plan provided within the security assessment plan and the results provided on the security assessment report.

Q: Parameters are entered within the control description; however, it is also listed in a separate field location on the template. Can we just write the parameters listed above that are already written as they are predefined by the JAB? It seems redundant to enter it twice and some have multiple parameters.
A: The idea is not to just copy and paste these parameters, you actually need to check and make sure that your system can meet these parameters. If it does not, you should say what are the parameters that it does meet?  When the third-party assessor is going in, they are going to be checking if you really meet these parameters or did you just copy and paste them from below because without checking, you're not going to know if you actually meet these parameters.

Coalfire is an accredited FedRAMP 3PAO. We also provide a list of FAQs and answers and webinars based on our experience in working with cloud service providers engaged in this process.
<< Go Back

Blog post currently doesn't have any comments.

Post Topics


RSS Feed

The Coalfire BlogSubscribe to Feed
Chrome users will need to install RSS Subscription Extension (by Google)