General (6)
In this position the first step would be to find a 3PAO to complete a readiness assessment and subsequent audit …
If you are a cloud service provider and interested in obtaining work from the Government, they will only accept contracts from those companies who have successfully completed their FedRAMP certification.
Per the FedRAMP.gov the goals of FedRAMP are to:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations
- Ensure consistent application of existing security practices Increase confidence in security assessments
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
Yes, FedRAMP is a security framework developed by the Federal Government along with industry professionals to align requirements for cloud service providers with that of the NIST framework. SOC 1 / SOC 2 are reports performed and issued under the SSAE 16 and AT 101 guidance, respectively, and developed by the AICPA and applicable to all third party service providers, rather than just cloud based.
A FedRAMP audit can be a costly project for an organization with the risks and the benefits weighed carefully. Engagement fees are based upon the readiness of the organization along with the scope of the audit and services provided.
A company should be prepared to pay a bare minimum of $15,000 for a comprehensive audit, but, could range upwards of $150,000 or more as audit time and complexity increases along with company size.
No, the audit can be performed by any accredited 3rd party accredited Third Party Assessment Organization (3PAO) of your choosing. The Federal Government defined the framework and the requirements, but, has privatized the accreditation process to qualified audit firms, where the only interaction with the Government may be providing them the report.
Control Objectives (3)
The Access Control (AC) objective is based around the policies and procedures in place at a 3pao to limit access to various resources within the environment to appropriate individuals. Below is a list of the various activities that are required to be implemented to address and mitigate access control related risks.
- Access Control Policy and Procedures
- Account Management
- Access Enforcement
- Information Flow Enforcement
- Separation of Duties
- Least Privilege
- Unsuccessful Login Attempts
- System Use Notification
- Concurrent Session Control
- Session Lock
- Permitted Actions Without Identification/ Authentication
- Security Attributes
- Remote Access
- Wireless Access
- Access Control for Mobile Devices
- Use of External Information Systems
- Publicly Accessible Content
The Awareness and Training (AT) objective is based around the policies and procedures in place at a 3pao to properly inform employees of security risks and provide the appropriate training to identify and mitigate the common issues that put organizations at risk. Additionally, the controls assist in providing sufficient audit evidence and also being able to hold employees accountable for their actions.
- Security Awareness and Training Policy and Procedures
- Security Awareness
- Security Training
- Security Training Records
The goal of the Audit and Accountability (AU) objective is to ensure there are sufficient controls in place to provide auditable evidence for system transactions and that key records are available for a sufficient amount of time. This way if the system crashes, hacked, or someone fat fingers an entry, there are ways to recover data, and traceback and rollback changes.
- Audit and Accountability Policy and Procedures
- Auditable Events
- Content of Audit Records
- Audit Storage Capacity
- Response to Audit Processing Failures
- Audit Review, Analysis, and Reporting
- Audit Reduction and Report Generation
- Time Stamps
- Protection of Audit Information
- Non-Repudiation
- Audit Record Retention
- Audit Generation