FedRAMP® ATO

WHY COALFIRE FEDERAL?

As a leading FedRAMP 3PAO, we boast unparalleled experience by our portfolio of clients supported through their FedRAMP and FISMA journeys. Our team of seasoned professionals, certified assessors, and industry veterans understands the intricacies of these compliance program requirements and their impact on your system’s environment. We’ve guided numerous organizations through this rigorous process, ensuring smooth and efficient compliance.

Proven Track Record: Coalfire currently supports 100 authorized systems on the FedRAMP marketplace with many traditional FISMA assessments completed as well. The diversity of authorizing officials authorizing these completed assessments range from the FedRAMP Joint Authorization Board (JAB) to many individual agency ATOs.
Deep Understanding: Our team goes beyond technicalities. We possess a thorough grasp of the requirements and have extensive navigating requirements that are not well documented or defined by government standards.
Customized roadmaps:  Our collaborative, tailored approach is based on specific client use cases, business limitations, and technical environment, which provides a clear understanding of the current security posture and enables us to offer guidance on a path forward.
Unwavering Commitment: We’re invested in your success. We collaborate closely with you throughout the entire process, providing ongoing support and guidance every step of the way.

Contact Coalfire Federal today. Let’s discuss your specific impact level needs and discover how Coalfire Federal can be your trusted partner on your FedRAMP journey.

Achieving FedRAMP authorization has historically required upward of $2 million and more than 2 years of time and energy. Leveraging the knowledge gained from providing audits and advisory services to more than 200 cloud service providers, we’ve built comprehensive solutions for every phase of the journey – allowing you to achieve authorization up to 80% faster.

“Coalfire Federal is responsible for conducting a 3PAO FedRAMP Audit for our Accenture Federal Services-Accenture Financials Cloud ERP (AFS-AFCE) solution SaaS offering. They have been performing the audit for us 2011. Their team is knowledgeable, experienced in assessing the systems and have been thoroughly professional and detail oriented from planning stage to generating and submitting the Audit artifacts. Their thorough planning and a detailed schedule enabled us to be organized, resulting in our team being able to all audit related activities from compilation and submission of artifacts to scheduling various activities like scan observations, Penetration tests etc. in a timely manner to avoid any delays during the audit process. The team has also been helpful and provided proper guidance as needed to help improve the effectiveness of our security controls associated with the offering. Overall, it has been a very positive experience working with the Coalfire team and we are looking forward to working with the team again in the future.”

AFS FERC

BACKGROUND

The Federal Information Security Modernization Act (FISMA) of 2014 establishes reforms and enhancements to the original 2002 FISMA legislation, which establishes the purpose of establishing a foundation of requirements that strengthen the security posture of information systems servicing the federal government. When most agencies (and their vendors) discuss establishing “FISMA compliance,” they are usually referring to meeting the controls identified in NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.” The law is enforced through various processes, as described by the Office of Management and Budget Circular (OMB) A-130.  OMB A-130 establishes definitions, processes, and requirements for federal agencies to follow. FISMA (through A-130) recommends guidance issued by NIST, such as FIPS 199, FIPS 200 for impact-level categorization (low, moderate, or high-impact systems), and NIST 800-53A for the selection and implementation of security controls based on the system impact level. The control selection, implementation, and testing are where the rubber meets the road for many IT professionals responsible for “FISMA compliance,” especially when meeting compliance is essential to receiving an authority to operate (ATO) by government agencies. 

FedRAMP is a result of the ”Cloud First” policy issued in Feb. 2011 (with more recent updates and enhancements), and OMB memo Security Authorization of Information Systems in Cloud Computing requiring the use of FedRAMP authorized cloud services by agencies in an effort to reduce costs on underutilized IT infrastructure and to streamline the IT procurement process. The FedRAMP Authorization Act of 2023 codified the program as the authoritative standard to security assessment and authorization for cloud computing products and services that process unclassified federal information. The core purpose of FedRAMP is to provide a standard for Cloud Service Providers (CSPs) to comply with federal cybersecurity requirements, validate meeting those requirements via a FedRAMP third party assessment organization (3PAO) and obtain a provisional ATO.  Any commercial cloud vendor that provides cloud services to the federal government must achieve a FedRAMP P-ATO. FedRAMP is FISMA for the cloud as it inherits the NIST baseline of controls but is tailored for the cloud. Like FISMA, FedRAMP follows guidance established in NIST 800-53. In addition, the FedRAMP Program Management Office (PMO) has developed and published additional security control requirements for implementation and testing as part of the FedRAMP program. These additional controls and security test cases for a FedRAMP security assessment can be found on FedRAMP.gov. 

Serving the unique needs of the Department of Defense (DoD), the FedRAMP+ leverages the FedRAMP baseline and adds specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements.  The DoD Security Requirements Guide (SRG) was developed by the Defense Information Systems Agency (DISA) for DoD agencies and DoD Mission Owners. The “plus” in FedRAMP+ signifies the additional security requirements that DISA has built on top of what FedRAMP as a program establishes for a risk-based approach in standardizing the adoption and use of cloud services by the federal government. The SRG establishes Impact Levels 2, 4, 5 and 6 based on information system sensitivity and security requirements. For CSPs with DoD customers, meeting the SRG requirements are a component to achieving a DoD Provisional Authorization (PA).