Javascript is currently disabled. This site requires Javascript to function correctly. Please enable Javascript in your browser!

Cloud Services / FedRAMP Compliance Assessment

FedRAMP Compliance Assessment

Login

FedRAMP Compliance Assessment

FedRAMP uses a conformity assessment process to ensure that cloud computing services and systems offered by Cloud Service Providers (CSP) meet specified security requirements.  The objective of this assessment is to determine FedRAMP compliance of the IaaS / PaaS / SaaS and federal agency system accreditation boundary.  The assessment is a comprehensive review of existing security program documentation consisting of plans, polices and SOP’s, validation of security architecture, the assessment of infrastructure components (vulnerability / penetration testing) and security control testing (Interviews / Examinations / Testing).  This assessment is conducted in accordance with the Federal Cloud Computing Initiative (FCCI) guidelines and NIST / FIPS publications.

Security Assessment Plan

Develop the assessment plan for the service model or federal agency system accreditation boundary: (Apply FCCI Template)

  • Apply FCCI Template
  • Define Security Assessment Test Cases
  • Define Assessment Strategy
  • Define Stakeholders (Interviews)
  • Define Hardware / Software / OS Inventory
  • Define Architecture Boundary
  • Define Artifacts / Supporting for Review
  • Establish Testing Techniques
  • Define Testing Tools; Web / DB / OS / VM
  • Define Penetration Schedule

Architecture Review / Compliance

The cloud computing service model and/or federal agency system accreditation boundary shall be evaluated for:

  • Accuracy of Hardware / Software inventory
  • Cloud Security Alliance "Top Threats"
  • Implementation of SC-7 Boundary Protection
  • Implementation of IA-2 User Identification and Authentication Multi-Factor Authentication
  • Implementation of SI-4 Information System Monitoring Tools & Techniques (SI-4)

Security Program Documentation

FedRAMP has defined twenty-four (24) system-required documents and NIST has defined seventeen (17) security policies.  This assessment consists of, and is based on, the security categorization rating of the cloud computing service model:

  • Formalization of Information System Security Officer (ISSO)
  • Completion of FedRAMP required security authorization documentation
  • Evaluation/Compliance review of 17 security policies - NIST SP 800-53 Rev 3

Note 1: Approved FCCI security program templates (Plans / Policies) shall be provided.

Note 2: Detailed Control Statements that address all applicable system components.

Security Control Testing

FCCI created seventeen (17) assessment test case workbooks that must be completed by the 3PAO (Independent Assessor), during initial and periodic assessments of the CSP, as-well-as federal agency systems.  Our security control tester shall conduct Interview, Examine artifacts and conduct testing in accordance with NIST SP 800-53A Revision 1 (Latest Revision), using the FCCI templates on the following control families:

AC     CP     PS     IA      RA     CA

AU     IR      SA     MA     SC     CM

CA     PE     AT     PL     SI

  • Apply the FCCI approved test case workbooks on the selected control families.
  • Conduct Interviews (I) with selected stakeholders.
  • Perform Examination (E) as defined in the assessment test case workbook.
  • Perform Testing (T) on the system for verification of control implementation description.
  • Collect evidential artifacts to support control implementation status

Note 1: The 3PAO must provide detailed Assessment Test Cases.

Plan of Action & Milestone (POA&M)

The POA&M is an artifact in the security authorization package, submitted by the CSP, to the Joint Authorization Board (JAB), for a provisional Authority to Operate (ATO) decision.  The results from the vulnerability scans and/or penetration test, along with the assessment test case workbook, shall be used to create/update the POA&M.

Security Assessment Report (SAR)

The SAR is assembled using the FCCI template and must reflect the risks identified from:

  • 17 Assessment Test Cases
  • Vulnerability Scans
  • Penetration Test Report
  • Existing / Updated POA&M

Penetration Testing & Vulnerability Scanning

The Operating Systems (OS), Web, Database (DB) and Virtual Machine (VM) environments, for the cloud computing service model, must be assessed using FCCI approved software tools.  An agreed upon percentage of system components will be Scanned using:

  • Operating Systems (OS) / VM - Nessus
  • Web – Acunetix
  • Database - AppDetective
  • Database – Manual GSA Checklist

Note 1: All assets/devices, or a representative sample within the boundary must be assessed.

Note 2: No High Risk Findings (Scan Results – OS / Web / Database).

Note 3: Penetration testing is required for the FedRAMP assessment.

Asset 1
The polymerization Tibetan and Chinese, skeletal effects and replica watches sale absorption capacity has been added, it is a multi-skilled in their women's fake rolex I was producing alternative. Throughout the rolex replica uk year of planning, you can make women achieve absolute artistic brilliance, TAG Heuer replica watches, you are worried about the rolex replica sale and uncompromising. Here there are a lot of fake tag heuer are gems markings, along with tag heuer replica monitoring allocation of rolex replica sale competing submarine. This is a good time to accompany shop rolex replica and their full range of Internet. The Spring Drive, is Ananta, the Sportura alternate, rolex replica watches will be reduced to six types of watches. In addition, skills competition Saturday night, actor rolex replica sale all black ninja, California's first family, Maria Shriver, Arnold Schwarzenegger and daughter, and his cute little wearing Harry Connick clothes is sitting next to the child.