FedRAMP
We have extensive experience working with Cloud Service Providers (CSPs) through the full FedRAMP authorization process – from consulting on preliminary readiness and conducting gap assessments, to supporting the full documentation development required to earn your FedRAMP authorization, through the ongoing continuous monitoring, POA&M, Significant Change Request (SCR), and annual update stages. See below for the full range of FedRAMP Advisory Services available with Landers and Company.
FedRAMP Advisory: FedRAMP Low, Low Tailored, Moderate, High, and FedRAMP+ (DoD IL4, IL5, IL6)
- Rev 5 Uplift
- We have already worked with CSPs to update their documentation to meet the requirements for the updated FedRAMP security controls baseline, in alignment with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5 (Rev 5)
- L&C has already completed a thorough analysis of all updates to controls, language, and other changes that came with the transition to Rev 5
- We are ready with updated templates, questionnaires, guidance, and lessons learned to share with you to complete a Rev 5 uplift
- Have you already started the process of seeking a FedRAMP authorization but did not complete the effort prior to the implementation of Rev 5? We’re ready to help.
- Are you working to update your documentation for an existing authorization to comply with the updated Rev 5 controls and templates? Contact us.
- Advisory/Assessment
- We would be happy to schedule a free initial consultation to help assess your level of readiness for FedRAMP, and to answer questions you might have about the process and the ways L&C can help.
- Gap Assessments
- Do you have a commercial cloud service offering that you would like to sell to the Federal Government or DoD? If you are thinking about seeking a FedRAMP Joint Authorization Board (JAB) or Agency Authorization, we can help. Whether you have started developing or modifying existing documentation to meet FedRAMP standards or not, our team of experts can help you determine where you currently stand, assess what level of effort will be needed to achieve compliance, and help you establish a roadmap to meet your goals.
- Our approach will ensure you have a path to success by:
- Identifying areas for improvement in documentation and recommending the development of new or modified documentation
- Highlighting key FedRAMP security controls and requirements that must be implemented or corrected prior to beginning the FedRAMP authorization process
- Conducting authorization boundary and architecture reviews to ensure the system is capable of achieving a FedRAMP authorization or to identify changes that will be required
REV 5 TRANSITION
Contact us to request a free consultation to help you learn more about what Rev 5 means for your CSP, whether you have a prior authorization for your Cloud Service Offering (CSO), or you are seeking your first FedRAMP authorization.
L&C has already completed an analysis of all the Rev 5 changes, and is ready to provide updated templates, questionnaires, and guidance to support you through the process.
- Documentation Development
- L&C has created streamlined questionnaires that allow our team to gather key information from your team in support of documentation development. Our approach allows your team to review and provide responses at their convenience, reducing the number of meetings needed for information gathering. Our experience has taught us that this approach helps to reduce the time and effort required of your internal experts, and it allows L&C to jumpstart the project.
- L&C will guide you through the full documentation process, ultimately working with your team to create all the required documents. We will not send you templates and ask you to complete them with little to no support. Our goal is to provide a fully compliant authorization package with minimal impact on your teams.
- Our team can help with the required FedRAMP CSP documentation, including the System Security Plan (SSP) and the majority of the required attachments, including the following:
- Federal Information Processing Standards (FIPS) 199 Security Categorization
- Digital Identity Worksheet
- System Security Policies and Procedures
- Privacy Threshold Analysis (PTA) and Privacy Impact Analysis (PIA)
- Rules of Behavior (RoB)
- Information System Contingency Plan (ISCP)
- Configuration Management Plan (CMP)
- Incident Response Plan (IRP)
- Control Implementation Summary (CIS) Worksheet
- Customer Responsibility Matrix (CRM) Worksheet
- Separation of Duties (SoD) Matrix
- Related Acronyms
- Specific Laws and Regulations
- Supply Chain Risk Management Plan
- Continuous Monitoring Plan
- Documentation Review
- L&C is often engaged to update and improve documentation that has already been created in support of a FedRAMP authorization package. Our goal is to provide the highest quality documentation the first time around. In addition to our team of seasoned experts, we have a proven process that includes quality assurance along the way.
- Have you created or paid for an organization to create documentation that does not meet FedRAMP standards?
- Have you stalled out on the creation of the documentation due to limited capacity and/or expertise on your internal team?
- Have you underestimated the number of changes you may need to make to fulfill all the required controls?
- We can help with all of these needs to ensure your documentation is completed accurately and efficiently.
- In need of an annual update? Not a problem. We can perform annual reviews and updates to your documentation to ensure that you are up-to-date and ready for your annual assessment. This can include all service and tool changes, as well as any significant changes your system has undergone over the past year.
- L&C is often engaged to update and improve documentation that has already been created in support of a FedRAMP authorization package. Our goal is to provide the highest quality documentation the first time around. In addition to our team of seasoned experts, we have a proven process that includes quality assurance along the way.
- Ongoing Maintenance of ATO
L&C can support your ongoing maintenance efforts required to sustain your Authority to Operate (ATO), including the following:- Significant Change Requests (SCRs)
- After first receiving your ATO, there is typically quite a bit for your teams to catch up on, including ongoing work to improve your product and expand your services. Along with standard maintenance and release schedules, you will reach a point where a significant change* is needed. Our team can support the analysis required to complete the FedRAMP Significant Change Request Form and coordinate the required testing needed to obtain approval.
- *As defined in NIST SP 800-37, “A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system.”
- Service Onboarding
- CSPs commonly need to expand their service offerings as they adapt to the market, but at what cost? FedRAMP now has specific guidance related to service onboarding. Contact us to find out how you might be able to benefit from this program.
- Impact Level Uplifts
- Do you need to upgrade to the next impact level? As your business grows, typically so do your clients’ needs. We have assisted customers in moving from FedRAMP Low to Moderate, or Moderate to High baselines, as well as going down the DoD SRG path should your customers include any branch of the DoD. We can help with the many minor changes, in addition to the added security controls, that you will need to implement and address during the impact level uplift process.
- Significant Change Requests (SCRs)
- Audit Support
- 3PAO (Third Party Assessment Organization) audits can be a grueling and time-consuming process – especially when you are pursuing your initial authorization or when your team is busy managing and/or building out the system. We can help guide you through the 3PAO audit experience, all the while making sure to minimize findings and save you time and money on rush remediation activities. Here are some of the ways we can support the audit process:
Continuous Monitoring
Once Cloud Service Providers (CSPs) have successfully attained a FedRAMP P-ATO, or Agency ATO, the next step is the Continuous Monitoring phase of the FedRAMP Security Assessment Framework. While often overlooked or not properly planned for, Continuous Monitoring must start the moment an ATO is issued and, realistically, should already be in place months prior to the initial assessment. L&C will help to ensure that you establish and maintain compliance in accordance with Federal laws and regulations and FedRAMP requirements.
We offer a variety of support levels to meet your needs. The following services can be applied to establish a comprehensive continuous monitoring program or to support existing staff:
- Vulnerability and Inventory Management
- Vulnerability Scanning
- Scan Analysis to verify compliance with the FedRAMP Vulnerability Scanning Requirements Guide
- Target Scope (100% coverage required)
- Vulnerability Checks Enabled
- Authentication and permissions
- Vulnerability Analysis and remediation planning
- Plan of Action and Milestones (POA&M) Management
- Document all valid security control and vulnerability scanning-related weaknesses at least monthly
- Monitor and track remediation to ensure compliance with the FedRAMP Continuous Monitoring Performance Management Guide
- Evaluate all vulnerabilities for applicability, risk adjustments, false positives, vendor dependencies and operational requirements
- ConMon Reporting (Due Monthly to FedRAMP JAB/Agency AO)
- Executive ConMon Summary
- Vulnerability Scans (including machine-readable output)
- System Inventory
- Deviation Requests
- Collect evidence for operational requirements and false positives
- Document justifications for all deviations, including risk adjustments
- Ongoing security control monitoring to ensure security measures remain effective
- Identifying the latest security alerts and advisories and developing mitigation strategies
- Monitoring configuration change control processes to ensure compliance with your Configuration Management Policy, Procedures, and Plan
CONTINUOUS MONITORING
Did you know that you must perform vulnerability scans on all infrastructure components, such as servers and network devices, all databases, all containers, all web applications, and all APIs within your system environment, at least monthly? Here are some key items to remember when establishing your vulnerability scanning policies:
- You are now required to scan for DoD STIGs on a monthly basis
- All non-destructive vulnerability checks (plugins, QIDs, etc.) must be selected for each scan
- All scans must be performed with authentication using privileged credentials. It is fairly common to see scans that appear to be running correctly with few findings; however, upon further review, the scans were not fully authenticated using a privileged account.
- All assets must be scanned (unless you have express approval from FedRAMP to use a sampling methodology)
- Remediation for findings must occur within the following timeframes:
- 30 days for all high or critical findings
- 90 days for all moderate findings
- 180 days for all low findings
- All vulnerability risk ratings must be reported using the Common Vulnerability Scoring System (CVSS) Version 3 scores
DISA/DOD IL4, 5, 6
Landers and Company provides support to Cloud Service Providers (CSPs) as they go through the Defense Information Systems Agency (DISA) cloud computing security authorization process. Our experts provide guidance to CSPs on how to meet the requirements of the Cloud Computing (CC) Security Requirements Guide (SRG), in order to provide their Cloud Service Offering (CSO) to the Department of Defense (DoD). This program, known as FedRAMP+, outlines specific requirements beyond the FedRAMP requirements in order for CSOs to be used by the DoD.
L&C can guide you through the DoD authorization process by providing any of the following:
- Gap Analysis to determine what additional cybersecurity controls and safeguards must be implemented to meet FedRAMP+ requirements
- Advisory consulting for either existing FedRAMP-authorized CSOs or for CSPs seeking FedRAMP+ authorization
- Completion of the majority of the required documentation
- Support with continuous monitoring
- Preparation for penetration tests, assessments, vulnerability scans, and incident response
- Rev. 5 Uplift - Updates needed for security packages in order to comply with the updated Rev. 5 requirements
StateRAMP
For Cloud Service Providers (CSPs) with primarily state and local government customers, L&C also has experience supporting the StateRAMP process.
StateRAMP adopts policies and procedures to standardize the security requirements for Cloud Service Providers (CSPs), then ensures Cloud Service Offerings (CSOs) utilized by state and local governments satisfy those security requirements through independent audits and continuous monitoring.
Landers and Company can support your StateRAMP journey with any of the following services:
- Gap Analysis to help you determine what additional cybersecurity controls and safeguards you may need to implement prior to meeting the StateRAMP requirements
- Completion of all required documentation
- Advisory consulting as you transition through the StateRAMP statuses of Ready, Provisional, and Authorized
- Support with continuous monitoring
- Preparation for penetration tests, assessments, vulnerability scans, and incident response
- Rev. 5 Uplift - Updates needed for security packages in order to comply with the updated Rev. 5 requirements
Updated StateRAMP Standards
Did you know StateRAMP has selected the NIST 800-53, Rev. 5 framework as the foundation for all StateRAMP standards? L&C has completed a thorough analysis of all Rev. 5 changes and has updated templates and questionnaires available to support you with any Rev. 5-related requirements and updates.
Contact us to learn more, or to request a free consultation
Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense (DoD) developed CMMC 2.0, a new security requirements framework that will be implemented through contracts with DoD contractors that handle sensitive, unclassified DoD information. This certification is designed to validate the security posture of DoD suppliers to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While these requirements may continue to evolve, DoD suppliers and vendors should be planning for compliance now.
L&C provides advisory consulting for CMMC, including helping to define the CMMC/CUI boundary as well as the development of documentation to support the effort. Contact us for help with any of the following:
- CMMC advisory consulting
- Help to define the CMMC/CUI boundary
- Support documentation development
When the DoD implemented the CMMC 2.0 program, there were three key changes introduced as refinements from the original (CMMC Model 1.0) program requirements, including the following:
- Streamlined & Aligned Model: the updated CMMC Model 2.0 now includes three (3) compliance levels (as opposed to five (5) levels in CMMC Model 1.0), which are aligned with National Institute of Standards and Technology (NIST) cybersecurity standards.
- Reliable & Reduced-Cost Assessments: in the updated 2.0 model, some companies (depending on the compliance level appropriate for their type and sensitivity of information) may complete self-assessments to demonstrate compliance, and the model increased oversight of standards for third-party assessors.
- Flexible Implementation: some companies may now make Plans of Action & Milestones (POA&Ms) to achieve the initial certification, and there are additional circumstances under which the government is now allowed to waive the inclusion of CMMC requirements.
Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense (DoD) developed CMMC 2.0, a new security requirements framework that will be implemented through contracts with DoD contractors that handle sensitive, unclassified DoD information. This certification is designed to validate the security posture of DoD suppliers to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While these requirements may continue to evolve, DoD suppliers and vendors should be planning for compliance now.
L&C provides advisory consulting for CMMC, including helping to define the CMMC/CUI boundary as well as the development of documentation to support the effort. Contact us for help with any of the following:
- CMMC advisory consulting
- Help to define the CMMC/CUI boundary
- Support documentation development
When the DoD implemented the CMMC 2.0 program, there were three key changes introduced as refinements from the original (CMMC Model 1.0) program requirements, including the following:
- Streamlined & Aligned Model: the updated CMMC Model 2.0 now includes three (3) compliance levels (as opposed to five (5) levels in CMMC Model 1.0), which are aligned with National Institute of Standards and Technology (NIST) cybersecurity standards.
- Reliable & Reduced-Cost Assessments: in the updated 2.0 model, some companies (depending on the compliance level appropriate for their type and sensitivity of information) may complete self-assessments to demonstrate compliance, and the model increased oversight of standards for third-party assessors.
- Flexible Implementation: some companies may now make Plans of Action & Milestones (POA&Ms) to achieve the initial certification, and there are additional circumstances under which the government is now allowed to waive the inclusion of CMMC requirements.
The CMMC Model 2.0 - announced in November 2021 - is the next iteration of the DoD's CMMC cybersecurity model. Key elements of the CMMC 2.0 program include the following details for the three (3) tier model:
- Level 3:
- The model includes 110+ requirements based on NIST SP 800-171 and NIST SP 800-172; as new versions of these documents are developed and released, suppliers will be expected to meet these changes as well
- Requires triennial government-led assessments and annual affirmations
- Level 2:
- The model includes 110 requirements aligned with NIST SP 800-171
- Requires triennial third-party assessments and annual affirmations. Some programs allow triennial self-assessments, in addition to annual affirmations
- Level 1:
- Model includes 15 requirements
- Requires an annual self-assessment and annual affirmations
CMMC CERTIFICATION
Landers and Company can help you with all stages of the CMMC Certification process, including:
- CMMC advisory consulting
- Gap Analysis
- Determination of the CMMC/CUI boundary
- Development of a full documentation package
- Development of the System Security Plan (SSP)
- Development of a Plan of Action & Milestones (POA&M)
Contact us to learn more about our services, or to request a free consultation as you embark on the CMMC certification process.