Summary Q2-2024

FedRAMP process

  • Initiate-Agency checks whether CSP has existing ATO from JAB/other agency if yes ask for the SA&A package for review, if no initial a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
  • Apply: CSP applies to FeRAMP PMO to become FeRAMP Compliant or can be sponsored by an agency to become FeRAMP Compliant
  • Implement-CSP implements  FedRAMP baseline security controls  in accordance with their system categorization
  • Document- CSP develops an SSP to document controls-CMP, CP and CP Test
  • Assess
    • Categorize system
  • 3PAO Create a Security Assessment Plan
  • 3PAO Perform initial and periodic assessments of CSP security controls
  • 3PAO Conduct security tests and produce a Security Assessment Report and POAM
  • Authorize-Agency reviews SA&A package (SAR, POAM and SSP) to other issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
  • Monitor
    • Agency and PMO staff review continuous monitoring artifacts available in the FedRAMP secure repository periodically
  • Make continuous monitoring artifacts available in the FedRAMP secure repository
  • Report-Agencies reports CSP who they think cannot meet FeRAMP requirement
  • Main FedRAMP page http://cloud.cio.gov/fedramp
  • Cloud system can only be categorized as Moderate or Low
  • All the templates are provided on the main FedRAMP page

FEdRAMP And RMF Short Version

Complete Version

RMFFedRAMPARTIFACTSRESPONSIBILITY
N/AInitiateSA&A PackageAgency(Review Package)
N/AApplyRequest FormAgency or Cloud Service Provider(CSP)
CategorizationImplementFIPS199, RAR, PTA, PIA, SORNand E-AuthenticationThird Party Assessor Organization(3PAO)
Control SelectionImplementSecurity Control baselineThird Party Assessor Organization(3PAO)
ImplementationDocumentSSP, CMP, CP, and CP testCloud Service Provider(CSP)
AssessmentAssessSAP, ST&E, and SARThird Party Assessor Organization(3PAO)
AuthorizationAuthorizePOAM and ATOJoint Authorization Board(JAB) or Agency
Continuous MonitoringMonitorPOAM, SSP, and SARJAB(review package), Agency(review package) and CSP (Provide package)
N/AReportN/AAgency
error: Content is protected !!
Summary Q2-2024 – SmartThink LLC

Summary Q1-2024

  • The following artifacts/deliverables are developed at this phase
    • System Security Plan (SSP)-Most important document
    • Configuration Management Plan (CMP)
    • Contingency Plan (CP)
    • Contingency Plan Test (CPT)
  • The implementation and creation of relevant artifact for this phase is normally the responsibility of the system owner
  • A C&A analyst might be asked to assist in the development of the artifacts(C&A analyst collects information from the system owner or  system Point of Contact (POC) and incorporate  it into existing templates).
  • NIST Publications
    • SP 800-18-Guide for developing SSP
    • SP 800-53- NIST Recommend security controls
    • FIPS 200- Minimum Control
    • SP -800-128- Guide for configuration Management
    • SP 800-70- National checklist Program for IT Product
    • SP 800-34-Guide for contingency planning
    • SP 800-84-Guide to Test, Training, and Exercise Programs
    • SP 800- 47 Interconnecting Information Technology systems
error: Content is protected !!