FedRAMP Assessment

FedRAMP is a Federal Government program to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. The FedRAMP program provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud based services.Leveraging FedRAMP compliant security controls native to AWS cloud infrastructure simplifies the path to Authorization.

Federal Agencies are required to assess and authorize information systems in accordance with FISMA. The FedRAMP SAF is compliant with FISMA and is based on NIST Special Publication 800- 37. FedRAMP defines a set of controls for Low and Moderate security impact level systems based on NIST baseline controls (NIST SP 800-53, as revised) with a set of control enhancements that pertain to the unique security requirements of cloud computing.

KirkpatrickPrice will perform an audit of the moderate baseline controls using the FedRAMP security controls baseline. The 20 control families comprising these controls are defined in FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems and in NIST 800-53 r5, Security and Privacy Controls for Information Systems and Organizations.

Scoping Exercise

KirkpatrickPrice will perform a scoping exercise to help determine the authorization boundary. The authorization boundary establishes the clear demarcation between the system and its surrounding environment, including external systems , data sources, and users. Per FedRAMP requirements, this infrastructure information must be represented as a diagram, including the key components identified in this boundary description and any external dependencies. The flow of classified and unclassified data must also be documented as a diagram. The diagram will place heavy reliance on the services leveraged in the AWS GovCloud and our experts hold AWS certifications such as Certified Cloud Practitioner, Solution Architect, and the Security Specialization.

System Security Plan

In this phase, KirkpatrickPrice will assist clients with completing an initial SSP draft. We will review the various sections of the SSP and assist clients with providing appropriate information based on scope. We will also review Appendix A to assess current level of control implementation. As an AWS user, services like EC2, EKS, CloudTrail, etc. allow the cloud service provider to reduce risk and responsibility by relying on the security capabilities native to AWS.

Remediation Support & Assistance through 3PAO Audit

KirkpatrickPrice will assist clients in remediating gaps identified in Phase 2. KirkpatrickPrice will also partner with the clients team during the 3PAO process and continue to advise through the FedRAMP Ready assessment.

FedRAMP Assessment & Authorization

Overview

KirkpatrickPrice will engage a 3PAO partner to conduct a FedRAMP 3PAO assessment of the client’s cloud service offering. The 3PAO partner will serve as the independent 3PAO, whereas KirkpatrickPrice will serve as an advisor/consultant to the client. The 3PAO partner will provide the following audit services in support of the FedRAMP 3PAO Assessment:

• Conduct the FedRAMP Assessment in accordance with latest FedRAMP PMO guidance
  • Manual Control Testing
  • Vulnerability Scanning (Network/OS, AWS Infrastructure, Databases like RDS, and ECS/EKS Containers)
  • Penetration Testing (in accordance with defined FedRAMP attack paths)
• Provide all respective FedRAMP documentation to the Authorizing Agency for review and finalization
• FedRAMP Program/Meeting Support

The scope of this assessment covers all 3PAO Partner-provided FedRAMP audit services in support of obtaining/maintaining a FedRAMP Authorization.

KirkpatrickPrice will provide project management to align 3PAO partner resources for the FedRAMP assessment with KirkpatrickPrice resources conducting other audits. The Online Audit Manager will be the portal used for audit evidence collection.