Whether you’re navigating the initial steps of securing a system for authorization or have years of experience with an existing authorized solution, Coalfire Federal is your trusted partner to support your journey. As a leading FedRAMP third party assessment organization (3PAO), we help Cloud Service Providers (CSPs) with an efficient approach toward obtaining or maintaining an Authorization to Operate (ATO).
In the beginning stages of a CSPs journey toward ATO, the gap assessment addresses the following objectives:
The Readiness Assessment addresses specific requirements for FedRAMP® and DoD in the early stages of establishing an initial authorizing agency and demonstrating that the CSP is meeting critical controls to the applicable framework. The readiness assessment is performed by a 3PAO and addresses the following objectives:
A 3PAO conducts an initial assessment according to the latest assessment requirements set by FedRAMP®, DoD and NIST SP 800-53. Assessments are composed of the following components and are documented in the Security Assessment Report (SAR):
The NIST Risk Management Framework (RMF) requires an organization to maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. The following requirements must be met.
Our gap analysis provides the insight and experienced by one of the largest 3PAOs and supports CSPs with understanding critical requirements prior to proceeding with more comprehensive documentation development. The gap analysis will achieve the following objectives:
The System Security Plan (SSP) is the combination of the plan itself but also addresses required attachments. The following objectives are accomplished through this service.
Each NIST SP 800-53 control family requires the creation, implementation and enforcement of policies that describe how controls are to be satisfied by the organization. Our policy development services use industry best practices to ensure policies are compliant and can withstand the scrutiny of a 3PAO assessment. Policy development can be customized to meet current gaps and may include one or more of the following (not an exhaustive list):
"Coalfire Federal is responsible for conducting a 3PAO FedRAMP® Audit for our Accenture Federal Services-Accenture Financials Cloud ERP (AFS-AFCE) solution SaaS offering. They have been performing the audit for us 2011. Their team is knowledgeable, experienced in assessing the systems and have been thoroughly professional and detail oriented from planning stage to generating and submitting the Audit artifacts."
Please note that this FAQ is a summary and should be used in conjunction with the official FedRAMP documentation for precise guidance and compliance instructions.
FedRAMP is a government-wide program that provides a standardized approach to security assessments, authorization, and continuous monitoring for cloud products and services.
The Federal Information Security Modernization Act (FISMA) of 2014 establishes reforms and enhancements to the original 2002 FISMA legislation, which establishes the purpose of establishing a foundation of requirements that strengthen the security posture of information systems servicing the federal government. When most agencies (and their vendors) discuss establishing “FISMA compliance,” they are usually referring to meeting the controls identified in NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.” The law is enforced through various processes, as described by the Office of Management and Budget Circular (OMB) A-130. OMB A-130 establishes definitions, processes, and requirements for federal agencies to follow. FISMA (through A-130) recommends guidance issued by NIST, such as FIPS 199, FIPS 200 for impact-level categorization (low, moderate, or high-impact systems), and NIST 800-53A for the selection and implementation of security controls based on the system impact level. The control selection, implementation, and testing are where the rubber meets the road for many IT professionals responsible for “FISMA compliance,” especially when meeting compliance is essential to receiving an authority to operate (ATO) by government agencies.
FedRAMP is a result of the ”Cloud First” policy issued in Feb. 2011 (with more recent updates and enhancements), and OMB memo Security Authorization of Information Systems in Cloud Computing requiring the use of FedRAMP authorized cloud services by agencies in an effort to reduce costs on underutilized IT infrastructure and to streamline the IT procurement process. The FedRAMP Authorization Act of 2023 codified the program as the authoritative standard to security assessment and authorization for cloud computing products and services that process unclassified federal information. The core purpose of FedRAMP is to provide a standard for Cloud Service Providers (CSPs) to comply with federal cybersecurity requirements, validate meeting those requirements via a FedRAMP third party assessment organization (3PAO) and obtain a provisional ATO. Any commercial cloud vendor that provides cloud services to the federal government must achieve a FedRAMP P-ATO. FedRAMP is FISMA for the cloud as it inherits the NIST baseline of controls but is tailored for the cloud. Like FISMA, FedRAMP follows guidance established in NIST 800-53. In addition, the FedRAMP Program Management Office (PMO) has developed and published additional security control requirements for implementation and testing as part of the FedRAMP program. These additional controls and security test cases for a FedRAMP security assessment can be found on FedRAMP.gov.
Serving the unique needs of the Department of Defense (DoD), the FedRAMP+ leverages the FedRAMP baseline and adds specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements. The DoD Security Requirements Guide (SRG) was developed by the Defense Information Systems Agency (DISA) for DoD agencies and DoD Mission Owners. The “plus” in FedRAMP+ signifies the additional security requirements that DISA has built on top of what FedRAMP as a program establishes for a risk-based approach in standardizing the adoption and use of cloud services by the federal government. The SRG establishes Impact Levels 2, 4, 5 and 6 based on information system sensitivity and security requirements. For CSPs with DoD customers, meeting the SRG requirements are a component to achieving a DoD Provisional Authorization (PA).
FedRAMP ensures that cloud service providers (CSPs) meet the highest security standards, allowing federal agencies to securely adopt cloud-based solutions.
A gap assessment identifies areas where a CSP is not compliant with FedRAMP or FISMA requirements, while a readiness assessment determines if a CSP is prepared to proceed with an initial assessment.
An initial assessment includes a security control assessment, validation of compliance and vulnerability scanning tools, and a penetration test.
Continuous monitoring is the ongoing process of ensuring that a system remains compliant with FedRAMP or FISMA requirements.
An SSP is a document that outlines a system's security controls and how they are implemented.
Policy development involves creating and implementing policies that describe how security controls are to be satisfied.
FedRAMP and FISMA compliance can be complex. Explore our resources to learn more, find expert guidance, and achieve compliance.
As a FedRAMP® 3PAO, we have extensive experience guiding organizations through FedRAMP® and FISMA compliance. Our team understands the intricacies of these programs and will ensure a smooth process.
