• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Compliance: NIST 800-171
    • MARS-E Assessment
    • P2PE Certification
    • PA DSS Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Newsletters
    • Blog
  • Contact Us

FedRAMP 3PAO Services and NIST 800-53

Request DatasheetRequest QuoteRequest Demo
You are here: Home / Certifications / FedRAMP 3PAO Services and NIST 800-53

ControlCase is a FedRAMP Third Party Assessment Organization (3PAO). The 3PAO status qualifies ControlCase to assist cloud providers in achieving FedRAMP compliance and verifies that ControlCase has the technical competence required by FedRAMP to assist cloud providers in achieving FedRAMP certification. FedRAMP-authorized cloud providers are then listed on the FedRAMP Marketplace.

More on NIST 800-53, which is used as the information security standard for both FISMA and FedRAMP.

What is FedRAMP?

The United States Federal Risk and Authorization Management Program, known as FedRAMP, is one of the federal government’s most rigorous security compliance frameworks. It enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.

FedRAMP Entities:

1.   Joint Authorization Board (JAB)
JAB is the primary governance and decision-making body for FedRAMP. Its members include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration.

2.   Program Management Office (PMO)
Resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process. PMO also maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

What is FedRAMP Marketplace?

The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO). It serves as a database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation and Accredited Auditors (known as 3PAOs) that can perform the FedRAMP assessment.

ControlCase is a FedRAMP Third Party Assessment Organization (3PAO).

Who does FedRAMP Apply to?

Any cloud services that hold federal data must be FedRAMP Authorized.

FedRAMP prescribes the security requirements and processes cloud service providers must follow for the government to use their service.

How hard is it to get FedRAMP certified? How long does it take to get FedRAMP?

There are two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO).

1. PROVISIONAL AUTHORITY TO OPERATE  (FedRAMP P-ATO)

  • Issued by the Joint Authorization Board.
  • Prioritizes authorizing cloud services that will be widely used across government.
  • CIOs of DoD, DHS and GSA must agree that the CSP meets all controls and presents an acceptable risk posture for use across the federal government.
  • Conveys a baseline level of likely acceptability for government-wide use.
  • CSPs must use an accredited Third-Party Assessor Organization (3PAO).
  • FedRAMP PMO manages continuous monitoring activities.

 

2. AGENCY AUTHORITY TO OPERATE (FedRAMP ATO)

  • Issued by the agency only.
  • Agencies have varying levels of risk acceptance.
  • Agency monitors the CSPs continuous monitoring activities.
  • Typically use a 3PAO, like ControlCase, to perform independent testing.

 

ControlCase Methodology for FedRAMP Compliance

As a 3PAO, ControlCase will independently verify and validate the control implementation and test results for your organization, the Cloud Service Provider (CSP), using a four phase approach.  Each phase will have a specific set of tasks and deliverables required to guide you, as the CSP, through the FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) process.

The methodology consists of the following phases:

ControlCase FedRAMP Methodology

 

Four Phases of Assessment Process:

Compliance validation is demonstrated and assessed in following four progressive Steps.

1. Readiness Assessment ControlCase will perform a readiness assessment of your service offering as required for your organization to achieve your “FedRAMP Ready” designation from the FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB).
Activities Included:

  • Perform the readiness assessment activities to include active validation of all information provided by the CSP on its service offering.
  • Deliver a Readiness Assessment Report (RAR) attesting to your Cloud Service Offering’s (CSO) readiness for the authorization process.

 

Deliverable:

Readiness Assessment Report (RAR) – ControlCase will prepare and submit the RAR utilizing the FedRAMP Readiness Assessment Report template. The RAR will be reviewed by the FedRAMP PMO to determine if the Cloud Service Offering (CSO) can be designated as “FedRAMP Ready” and advertised in the FedRAMP Marketplace.

2. Full Security Assessment ControlCase will complete the full security assessment of the CSP’s Cloud Service Offering (CSO) based upon the System Security Plan (SSP) provided by the CSP.
Activities Included:

  • Develop the detailed Security Assessment Plan (SAP) based on the System Security Plan (SSP) provided at the start of this phase.
  • Conduct a full security assessment of the service offering to include detailed testing of all applicable controls documented in the SSP.
  • Document all results in a Security Assessment Report (SAR) as required by the FedRAMP PMO.
  • The CSP then develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.
  • Work with the CSP to ensure the completed SSP, SAP, SAR and POA&M package meets the FedRAMP PMO requirements prior to entering Phase 3.

 

Deliverable:

Security Assessment Plan (SAP) – ControlCase will prepare and submit the SAP utilizing the FedRAMP Security Assessment Plan template. The SAP will define the processes, procedures, and methodologies used for our testing.

Security Assessment Report (SAR) – ControlCase will prepare and submit the SAR utilizing the FedRAMP Security Assessment Report Template for Annual Assessments. The SAR documents the results of the testing performed.   The SAR will clearly identify what was tested and what was not tested as part of this assessment, especially for any non-applicable controls and inherited controls from leveraged systems, as may be applicable.  The SAR includes the following components:

  • Test procedure workbooks (including detailed observations and evidence, implementation status, findings, and risk exposure information)
  • Vulnerability scan results (infrastructure, web application and database)
  • Penetration testing report.
3. Authorization Process ControlCase will participate with the JAB, FedRAMP PMO and CSP’s authorization team to review the CSP offering in detail to kick off the authorization process. ControlCase will assist the CSP in responding to any questions or comments from the FedRAMP PMO on the CSP offering package.
Activities Included:

  • Participate in the kick off meeting with the JAB, FedRAMP PMO and CSP.
  • Address any questions and comments from the JAB reviewers in a timely manner.
  • Participate in all regular meetings with the CSP, PMO and JAB Reviewers.
  • Remediate any documentation issues as needed to ensure all JAB Reviewer comments are addressed.
  • Support the CSP as they work to receive a P-ATO decision and formal authorization of their CSO from the FedRAMP PMO.

 

Deliverable:

Edits to the SAP and SAR as required and based on questions or comments from the JAB Reviewer.

4. Continuous Monitoring Annual Security Assessment Continuous monitoring is a major part of the FedRAMP authorization process and ControlCase will complete the annual security assessment based on the results of the control selection process. Our testing will utilize the FedRAMP Test Cases and the requirements specified in the FedRAMP Continuous Monitoring and Strategy Guide.
Activities Included:

  • Assess a defined subset of the security controls consisting of FedRAMP-selected core controls and CSP-selected controls according to the test cases provided by FedRAMP.
  • Validate the rationale provided by the CSP to exclude core controls that are not applicable or fully inherited by the CSO.
  • Evaluate continuous monitoring controls to verify that ongoing continuous monitoring activities are in place and have been occurring as described in the SSP.
  • Verify that no implementation “gaps” exist for all requirements of a control that is inherited from a leveraged system.
  • Evaluate all open POA&M items related to in-scope controls to ensure consistency with the SAR.
  • Confirm adequate resolution of any POA&M closures and continued applicability of any Deviation Requests.
  • Perform annual scans of web applications, databases, and operating systems. This includes onsite observation or other verification of results if the scans are performed by the CSP.
  • Perform penetration testing on the CSO.
  • Prepare deliverables in a format that cannot be altered.
  • Submit the assessment report to the Information System Security Officer (ISSO) before the CSP’s authorization anniversary date.

 

Deliverable:

Security Assessment Plan (SAP) – ControlCase will prepare and submit the SAP utilizing the FedRAMP Security Assessment Plan Template for Annual Assessments. The SAP will define the processes, procedures, and methodologies used for our testing.

Security Assessment Report (SAR) – ControlCase will prepare and submit the SAR utilizing the FedRAMP Security Assessment Report Template for Annual Assessments. The SAR documents the results of the testing performed.   The SAR will clearly identify what was tested and what was not tested as part of this assessment, especially related to non-applicable controls and inherited controls from leveraged systems as may be applicable.  The SAR includes the following components:

  • Test procedure workbooks (including detailed observations and evidence, implementation status, findings, and risk exposure information).
  • Vulnerability scan results (infrastructure, web application and database).
  • Penetration testing report.

NIST 800-53 Overview

The NIST 800-53 standard is a standard published by the National Institute of Standards and Technology (NIST), which creates and promotes the standards used by federal agencies to implement the Federal Information Security Management Act (FISMA) and manage other programs designed to protect information and promote information security.

It is used as the information security standard for both FISMA and FedRAMP. The standard includes the following:

  • Standards for categorizing information and information systems by mission impact.
  • Standards for minimum security requirements for information and information systems.
  • Guidance for selecting appropriate security controls for information systems.
  • Guidance for assessing security controls in information systems and determining security control effectiveness.
  • Guidance for certifying and accrediting information systems.

 

NIST 800-53 consists of 3 sets of baseline control sets (low, medium and high) where the level is defined by the FIPS-199 categorization of the information system in scope. The NIST 800-53 Low consists of 149 controls, Medium consists of 286 controls and High consists of 369 controls. The controls are spread across these 20 control families.

ControlCase NIST 800-53 Readiness Assessment ControlCase provides the readiness assessment to identify gaps and help with remediation efforts required to meet NIST 800-53 requirements. The assessment includes a review of the 20 domains and all controls (low, medium, or high) required by the FIPS 199 categorization of your IT systems. ControlCase provides a Readiness Assessment Report to identify any control weaknesses that should be addressed allow your organization to achieve compliance with NIST 800-53. ControlCase NIST 800-53 Compliance Assessment Controlcase performs a full NIST 800-53 audit of your environment covering the controls (low, medium or high) required by FIPS 199 and provides your organization with a report that documents the results of the assessment and will clearly identify what was tested and what was not tested as part of the assessment. Included with the report is a Plan of Actions and Milestones (POA&M) to allow remediation of identified security control weaknesses.

Access Control (AC) Physical and Environmental Protection (PE)
Awareness and Training (AT) Planning (PL)
Audit and Accountability (AU) Program Management (PM)
Assessment, Authorization, and Monitoring (CA) Personnel Security (PS)
Configuration Management (CM) PII Processing and Transparency (PT)
Contingency Planning (CP) Risk Assessment (RA)
Identification and Authentication (IA) System and Services Acquisition (SA)
Incident Response (IR) System and Communications Protection (SC)
Maintenance (MA) System and Information Integrity (SI)
Media Protection (MP) Supply Chain Risk Management (SR)

Benefits to our approach include:

ADAPTIBILITY
This approach is adaptable to most ticketing systems.
SIMPLICITY
This approach is repeatable.
TRANSPARENCY
Track progress against only applicable questions.
TRACKABILITY
Stay organized with assessor comments and date stamps.

Advisory Services

Application Security Training

Helps promoting developer education on the importance of integrating security into the software....
Read More

Data Discovery

Our easy-to-use enterprise data discovery solution provides scanning capabilities to search your....
Read More

Application Source Code Reviews

The objective of the ControlCase code review exercise is to quantify the level of security exposure....
Read More

Penetration Testing

ControlCase offers application and network level penetration testing performed through the best....
Read More

Integrated compliance

The SkyCAM solution out of the box provides control mapping with other standard and regulation.....
Read More

Maintain ongoing Secure Software and Secure SLC compliance

PCI DSS compliance is not a onetime effort, but a continuous process that requires ongoing....
Read More

Need more information?

Contact Us
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
12015 Lee Jackson Memorial Hwy, Suite 520, Fairfax, VA 22033

Send us a message

Call Us

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Team
  • Careers
  • Locations
  • Covid-19 Notice

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • P2PE Certification
  • PA DSS Certification
  • SOC2 Report

© ControlCase LLC 2023 | Privacy Policy | Impartiality Statement | Legal Notices