The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

Determining if your Company is Prepared for FedRAMP

May 13, 2013, Tom McAndrew, EVP Commercial Services, Coalfire

Bookmark and Share

Tom McAndrew

Many companies interested in pursuing FedRAMP are seeking guidelines, checklists and any referenceable source  to help them understand and determine their level of preparedness to go through the FedRAMP process. The GSA's site provides documentation on the FedRAMP process in their "Guide to Understanding FedRAMP."  In it is a 12-step checklist to help organizations gauge their readiness for FedRAMP. 

The checklist can be found on page 15 of the GSA publication. We have reproduced the checklist here:

Source: - Guide to Understanding FedRAMP

In addition, the GSA IaaS Showstoppers and their identified key control with NIST 800-53A identifier can also be helpful in understanding your company's readiness.

GSA IAAS Showstoppers

1 Identification of Full Asset Inventory
2 2FA for Customer and Vendor at all levels consistent with IA2 and enhancement requirements
3 Secure Boundary (logical and physical for assets comprising the information system)
4 Detailed Assessment Test Cases
5 Detailed Control Statements that address all applicable system components
6 No High Risk Findings
7 Must meet requirements of the RFQ & Proposal
8 Assessment/Scans of Virtual Assets (including those provided to customers)
9 Identification of Customer Responsibilities
10 Authenticated testing using specialized testing tools for all or a representative subset of systems

GSA IAAS Key Controls

RA5 Quarterly OS, Web and DB testing (using specialized testing tools)  
RA5(9) / CA7(2) Annual Penetration Testing  
SA11(1) Code Analysis Report (submitted as part of initial package and w/ reauthorization actions)  
PS3/PS7 Background Investigations on all staff w/ access to Federal data  
CP6 Alternate Storage Site  
CP7 Alternate Processing Site  
CP8 Alternate Telecommunication Services  
CP9 Information System Backup (at least three (3) copied of system user-level and system-level backups  
CM2 Baseline Configuration and System Component Inventory (build stds for all assets/devices)  
CM6 Configuration Settings (using FedRAMP defined security configuration settings (e.g., CIS, USGCB, etc)  
CM8(3) Information System Component Inventory (automated tools to detect unauthorized devices & disables/alerts upon detection)  
SI2 Flaw Remediation (remediating High Risk in 30 days; Medium in 90 days)  
MP4 Media Storage – FIPS 140-2 encryption of data stored on digital media  
MP5 Media Transport – FIPS 140-2 encryption of digital media transported outside of controlled areas  
IR4/IR6 Incident Handling/Reporting consistent w/ Federal Incident handing/reporting guidelines  
IA2 (1) Identification and Authentication
(Organizational Users) – 2FA authentication for network access to privileged accounts.
For Vendor and Customers
IA2 (2) Identification and Authentication
(Organizational Users) – 2FA authentication for network access to non-privileged accounts.
For Vendor and Customers
IA2 (3) Identification and Authentication
(Organizational Users) – 2FA authentication for local access to privileged accounts.
For Vendor only; NA to Customers
IA7/SC13 Cryptographic Module Authentication – FIPS 140-2 validated crypto modules  
SC2 Application Partitioning – Separates user functionality (including user interface services) from information system management functionality  
SC4 Information in Shared Resources – prevent unauthorized and unintended information transfer via shared system resources  
SC7 Boundary Protection – Separate enclaves (DMZ/VLAN) for logical and physical devices/assets that makeup the authorization boundary  
SC8(1) Transmission Integrity – employs cryptographic mechanisms to recognize changes to information during transmission  
SC9(1) Transmission Confidentiality – employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission  

Coalfire has developed a series of Pre-Assessment packages to assist organizations better understand their readiness. The FedRAMP Pre-Assessment process will further discuss criteria that your organization will need to meet in order to go through a FedRAMP assessment.  The deliverables of this engagement result in a roadmap that your organization can follow to meet the criteria for FedRAMP.

Coalfire is engaged with 50% of the CSPs in the FedRAMP process and as a result we've gained a lot of efficiency in understanding an organization's readiness for the FedRAMP process.

All of these resources can help you and your organization determine where you are in the FedRAMP process.  

<< Go Back

Blog post currently doesn't have any comments.

Post Topics