FedRAMP uses a conformity assessment process to ensure that cloud computing services and systems offered by Cloud Service Providers (CSP) meet specified security requirements. The objective of this assessment is to determine FedRAMP compliance of the IaaS / PaaS / SaaS through reviews of existing security program documentation, the validation of security architecture, and the assessment of infrastructure components and security control. This assessment is conducted in accordance with the Federal Cloud Computing Initiative (FCCI) guidelines and NIST / FIPS publications.
Pre-FedRAMP Assessment Work Products
The JD Biggs Independent Assessment (IA) team, conducts a series of workshops, with selected stakeholders. Each workshop examines specific control families, plans, policies, scans of the accreditation boundary and penetration test results. The IA team analyzes the results from each workshop, for the purpose of producing a strategy / road-map document.
Roadmap –FedRAMP Compliance:
The road-map document is a strategy for achieving FedRAMP compliance in accordance with current FCCI guidelines, federal mandates, publications issued by the Office of Management and Budget (OMB), NIST publications and FIPS publications. This document is based on the review/analysis and recommendations on current architecture improvements, security program documentation/policies updates, penetration testing and vulnerability scanning results, security control testing workbooks and the POA&M.
Penetration Testing & Vulnerability Scanning:
The results (raw data scans) from each of the tools for the selected environments shall be provided to key stakeholders for mitigation actions. Individual scan result briefings shall be conducted with each of the responsible system administrators, and the senior management and/or executive staff.
Security Control Testing:
Security control test case workbooks containing the results from Interviews, Examination of artifacts and Testing of the functional security requirements, as defined by FCCI, NIST and FIPS, shall be provided to selected stakeholders. Designated stakeholders are responsible for the implementation of required mitigation activities.
Plan of Action & Milestone (POA&M;):
The current FCCI issued POA&M template shall be applied for capturing identified risks, documenting mitigation actions and tracking corrective actions performed by the selected stakeholders.