ControlCase is a FedRAMP Third Party Assessment Organization (3PAO). The 3PAO status qualifies ControlCase to assist cloud providers in achieving FedRAMP compliance and verifies that ControlCase has the technical competence required by FedRAMP to assist cloud providers in achieving FedRAMP certification. FedRAMP-authorized cloud providers are then listed on the FedRAMP Marketplace.
More on NIST 800-53, which is used as the information security standard for both FISMA and FedRAMP.
What is FedRAMP?
The United States Federal Risk and Authorization Management Program, known as FedRAMP, is one of the federal government’s most rigorous security compliance frameworks. It enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
FedRAMP Entities:
1. Joint Authorization Board (JAB)
JAB is the primary governance and decision-making body for FedRAMP. Its members include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration.
2. Program Management Office (PMO)
Resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process. PMO also maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.
What is FedRAMP Marketplace?
The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO). It serves as a database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation and Accredited Auditors (known as 3PAOs) that can perform the FedRAMP assessment.
ControlCase is a FedRAMP Third Party Assessment Organization (3PAO).
Who does FedRAMP Apply to?
Any cloud services that hold federal data must be FedRAMP Authorized.
FedRAMP prescribes the security requirements and processes cloud service providers must follow for the government to use their service.
How hard is it to get FedRAMP certified? How long does it take to get FedRAMP?
There are two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO).
1. PROVISIONAL AUTHORITY TO OPERATE (FedRAMP P-ATO)
- Issued by the Joint Authorization Board.
- Prioritizes authorizing cloud services that will be widely used across government.
- CIOs of DoD, DHS and GSA must agree that the CSP meets all controls and presents an acceptable risk posture for use across the federal government.
- Conveys a baseline level of likely acceptability for government-wide use.
- CSPs must use an accredited Third-Party Assessor Organization (3PAO).
- FedRAMP PMO manages continuous monitoring activities.
2. AGENCY AUTHORITY TO OPERATE (FedRAMP ATO)
- Issued by the agency only.
- Agencies have varying levels of risk acceptance.
- Agency monitors the CSPs continuous monitoring activities.
- Typically use a 3PAO, like ControlCase, to perform independent testing.
ControlCase Methodology for FedRAMP Compliance
As a 3PAO, ControlCase will independently verify and validate the control implementation and test results for your organization, the Cloud Service Provider (CSP), using a four phase approach. Each phase will have a specific set of tasks and deliverables required to guide you, as the CSP, through the FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) process.
The methodology consists of the following phases:
Four Phases of Assessment Process:
Compliance validation is demonstrated and assessed in following four progressive Steps.
| 1. Readiness Assessment | ControlCase will perform a readiness assessment of your service offering as required for your organization to achieve your “FedRAMP Ready” designation from the FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB). |
Activities Included:
Deliverable: Readiness Assessment Report (RAR) – ControlCase will prepare and submit the RAR utilizing the FedRAMP Readiness Assessment Report template. The RAR will be reviewed by the FedRAMP PMO to determine if the Cloud Service Offering (CSO) can be designated as “FedRAMP Ready” and advertised in the FedRAMP Marketplace. |
|
| 2. Full Security Assessment | ControlCase will complete the full security assessment of the CSP’s Cloud Service Offering (CSO) based upon the System Security Plan (SSP) provided by the CSP. |
Activities Included:
Deliverable: Security Assessment Plan (SAP) – ControlCase will prepare and submit the SAP utilizing the FedRAMP Security Assessment Plan template. The SAP will define the processes, procedures, and methodologies used for our testing. Security Assessment Report (SAR) – ControlCase will prepare and submit the SAR utilizing the FedRAMP Security Assessment Report Template for Annual Assessments. The SAR documents the results of the testing performed. The SAR will clearly identify what was tested and what was not tested as part of this assessment, especially for any non-applicable controls and inherited controls from leveraged systems, as may be applicable. The SAR includes the following components:
|
|
| 3. Authorization Process | ControlCase will participate with the JAB, FedRAMP PMO and CSP’s authorization team to review the CSP offering in detail to kick off the authorization process. ControlCase will assist the CSP in responding to any questions or comments from the FedRAMP PMO on the CSP offering package. |
Activities Included:
Deliverable: Edits to the SAP and SAR as required and based on questions or comments from the JAB Reviewer. |
|
| 4. Continuous Monitoring Annual Security Assessment | Continuous monitoring is a major part of the FedRAMP authorization process and ControlCase will complete the annual security assessment based on the results of the control selection process. Our testing will utilize the FedRAMP Test Cases and the requirements specified in the FedRAMP Continuous Monitoring and Strategy Guide. |
Activities Included:
Deliverable: Security Assessment Plan (SAP) – ControlCase will prepare and submit the SAP utilizing the FedRAMP Security Assessment Plan Template for Annual Assessments. The SAP will define the processes, procedures, and methodologies used for our testing. Security Assessment Report (SAR) – ControlCase will prepare and submit the SAR utilizing the FedRAMP Security Assessment Report Template for Annual Assessments. The SAR documents the results of the testing performed. The SAR will clearly identify what was tested and what was not tested as part of this assessment, especially related to non-applicable controls and inherited controls from leveraged systems as may be applicable. The SAR includes the following components:
|
NIST 800-53 Overview
The NIST 800-53 standard is a standard published by the National Institute of Standards and Technology (NIST), which creates and promotes the standards used by federal agencies to implement the Federal Information Security Management Act (FISMA) and manage other programs designed to protect information and promote information security.
It is used as the information security standard for both FISMA and FedRAMP. The standard includes the following:
- Standards for categorizing information and information systems by mission impact.
- Standards for minimum security requirements for information and information systems.
- Guidance for selecting appropriate security controls for information systems.
- Guidance for assessing security controls in information systems and determining security control effectiveness.
- Guidance for certifying and accrediting information systems.
NIST 800-53 consists of 3 sets of baseline control sets (low, medium and high) where the level is defined by the FIPS-199 categorization of the information system in scope. The NIST 800-53 Low consists of 149 controls, Medium consists of 286 controls and High consists of 369 controls. The controls are spread across these 20 control families.
ControlCase NIST 800-53 Readiness Assessment ControlCase provides the readiness assessment to identify gaps and help with remediation efforts required to meet NIST 800-53 requirements. The assessment includes a review of the 20 domains and all controls (low, medium, or high) required by the FIPS 199 categorization of your IT systems. ControlCase provides a Readiness Assessment Report to identify any control weaknesses that should be addressed allow your organization to achieve compliance with NIST 800-53. ControlCase NIST 800-53 Compliance Assessment Controlcase performs a full NIST 800-53 audit of your environment covering the controls (low, medium or high) required by FIPS 199 and provides your organization with a report that documents the results of the assessment and will clearly identify what was tested and what was not tested as part of the assessment. Included with the report is a Plan of Actions and Milestones (POA&M) to allow remediation of identified security control weaknesses.
| Access Control (AC) | Physical and Environmental Protection (PE) |
| Awareness and Training (AT) | Planning (PL) |
| Audit and Accountability (AU) | Program Management (PM) |
| Assessment, Authorization, and Monitoring (CA) | Personnel Security (PS) |
| Configuration Management (CM) | PII Processing and Transparency (PT) |
| Contingency Planning (CP) | Risk Assessment (RA) |
| Identification and Authentication (IA) | System and Services Acquisition (SA) |
| Incident Response (IR) | System and Communications Protection (SC) |
| Maintenance (MA) | System and Information Integrity (SI) |
| Media Protection (MP) | Supply Chain Risk Management (SR) |