FedRAMP uses a conformity assessment process to ensure that cloud computing services and systems offered by Cloud Service Providers (CSP) meet specified security requirements. The objective of this assessment is to determine FedRAMP compliance of the IaaS / PaaS / SaaS and federal agency system accreditation boundary. The assessment is a comprehensive review of existing security program documentation consisting of plans, polices and SOP’s, validation of security architecture, the assessment of infrastructure components (vulnerability / penetration testing) and security control testing (Interviews / Examinations / Testing). This assessment is conducted in accordance with the FedRAMP guidelines and NIST / FIPS publications.
Architecture Review / Compliance
The cloud computing service model and/or federal agency system accreditation boundary shall be evaluated for:
- Accuracy of Hardware / Software inventory
- Cloud Security Alliance “Top Threats“
- Implementation of SC-7 Boundary Protection
- Implementation of IA-2 User Identification and Authentication Multi-Factor Authentication
- Implementation of SI-4 Information System Monitoring Tools & Techniques (SI-4)
Security Program Documentation
FedRAMP has defined twenty-four (24) system-required documents and NIST has defined seventeen (17) security policies. This assessment consists of, and is based on, the security categorization rating of the cloud computing service model:
- Formalization of Information System Security Officer (ISSO)
- Completion of FedRAMP required security authorization documentation
- Evaluation/Compliance review of 17 security policies – NIST SP 800-53 Rev 3
Note 1: Approved FedRAMP security program templates (Plans / Policies) shall be provided.
Note 2: Detailed Control Statements that address all applicable system components.
Plan of Action & Milestone (POA&M;)
The POA&M is an artifact in the security authorization package, submitted by the CSP, to the Joint Authorization Board (JAB), for a provisional Authority to Operate (ATO) decision. The results from the vulnerability scans and/or penetration test, along with the assessment test case workbook, shall be used to create/update the POA&M.
Security Assessment Report (SAR)
The SAR is assembled using the FedRAMP template and must reflect the risks identified from:
- 17 Assessment Test Cases
- Vulnerability Scans
- Penetration Test Report
- Existing / Updated POA&M
Security Control Testing
FedRAMP created seventeen (17) assessment test case workbooks that must be completed by the 3PAO (Independent Assessor), during initial and periodic assessments of the CSP, as-well-as federal agency systems. Our security control tester(s) shall conduct Interview, Examine artifacts and conduct testing in accordance with NIST SP 800-53A Revision X (Latest Revision), using the FedRAMP templates on the following control families:
AC CP PS IA RA CA
AU IR SA MA SC CM
CA PE AT PL SI
- Apply the FedRAMP approved Security Test Case Procedure Workbook (STCPW) on the selected control families.
- Conduct Interviews (I) with selected stakeholders.
- Perform Examination (E) as defined in the STCPW.
- Perform Testing (T) on the system for verification of control implementation description.
- Collect evidential artifacts to support control implementation status
Note 1: The 3PAO must provide detailed Assessment Test Cases.
Security Assessment Plan (SAP)
Develop the assessment plan for the service model or federal agency system accreditation boundary: (Apply FedRAMP Template)
- Apply FedRAMP Template
- Define Security Assessment Test Cases
- Define Assessment Strategy
- Define Stakeholders (Interviews)
- Define Hardware / Software / OS Inventory
- Define Architecture Boundary
- Define Artifacts / Supporting for Review
- Establish Testing Techniques
- Define Testing Tools; Web / DB / OS / VM
- Define Penetration Schedule
Penetration Testing (PenTest) & Vulnerability Scanning
The Operating Systems (OS), Web, Database (DB) and Virtual Machine (VM) environments, for the cloud computing service model, must be assessed using FedRAMP approved software tools. An agreed upon percentage of system components will be Scanned using:
- Operating Systems (OS) / VM – Nessus
- Web – Acunetix
- Database – AppDetective
Note 1: All assets/devices, or a representative sample within the boundary must be assessed.
Note 2: No High Risk Findings (Scan Results – OS / Web / Database).
Note 3: Penetration testing is required for the FedRAMP assessment.