Navigating FedRAMP: From Readiness to 3PAO Assessment and Beyond—Webinar Recap

Aaron Hamlin, cybersecurity consulting practice leader at BARR Advisory, spoke alongside a panel of fellow FedRAMP experts in a webinar this week breaking down the process that cloud service providers (CSPs) must complete to achieve FedRAMP authorization—from gap analysis to formal assessment by a Third-Party Assessment Organization (3PAO) and beyond.

Speaking alongside 360 Advanced’s Steve Bjarnason, David Brosi, and Kris Francis on Wednesday, Hamlin said the FedRAMP journey starts at the executive level. It’s imperative to have “buy-in and support from executive leaders who are responsible for the investments related to what the [FedRAMP] journey will be and [make] sure that they understand that it is a journey,” he said.

Francis, who serves as senior compliance executive at 360 Advanced, agreed. “In the market, FedRAMP is known for being a large, complex project,” he said. “If we don’t have executive buy-in, it is very likely that the process will not be funded.”

According to Hamlin, gaining executive buy-in requires compliance leaders to “really articulate what the investment looks like. And to be able to do that, we have to get really clear on scope.” 

Nailing down the scope of the engagement first requires CSPs to understand their FedRAMP impact level. “There are three predominant levels: low, moderate, and high,” Hamlin explained. “That informs the number of controls and the rigor of those controls that a cloud service provider would be implicated to for their cloud service offering.”

Hamlin said CSPs should look at the components of the systems they plan to sell against standards outlined in NIST SP 800-60 Vol. 2 Rev. 1 to develop a “collective, confident assessment” of their scope and impact level.

“There’s no better team to define the impact level…than the cloud service providers themselves, because they are the experts of their systems,” Hamlin said. 

While “the government has the ultimate say in what the impact level is of their use case of the product,” Hamlin said it’s important for relevant scoping exercises “to be done internally, that way the cloud service provider has a confident, informed perspective that they can sit at that table and speak to with the government. At least, that conversation is able to happen.”

Francis noted that “the agency sponsor is required to even go down this path, and that really is what I could call step one” in the FedRAMP process. 

For CSPs, working in lockstep with the sponsoring agency and the 3PAO is key for success when navigating FedRAMP. During the webinar, Bjarnason, technical services manager at 360 Advanced, explained what a 3PAO is looking for when the audit kicks off.

“As a 3PAO, coming in, the main thing that we need to see is the system security plan [SSP]. That’s where you’re either going to explicitly or by reference describe all of the controls that are in the scope, how they are implemented, how they are monitored—everything about them, really,” Bjarnason said. “There is FedRAMP guidance around how to develop diagrams of the system that will pass their review.” Templates are available for other documentation that is required throughout the authorization process, he said.

CSPs should expect to share with their 3PAO their policies, procedures, plans, and documentation related to developing, managing, and monitoring their systems. “Usually, companies struggle with the diagrams and the SSP,” but there will always be new items on a CSP’s plan of action to complete, Bjarnason noted. “Whether it prevents you from authorization is another thing.”

Bjarnason also emphasized the importance of continuous monitoring to achieve and sustain FedRAMP authorization.

“You have to have a continuous monitoring strategy, there’s a document around that,” Bjarnason said. “If you haven’t been practicing this ahead of time, that will be evident.”

“Getting everything in place is one thing. Being able to show that you actually do it is another,” Brosi, practice leader at 360 Advanced, said. CSPs should be “practicing and maintaining that level of hygiene around monitoring of your controls, making sure that they’re in place, [and] making sure that you can prove they’ve been in place not just at a point of time but also over a period of time.”

For CSPs just starting out on their FedRAMP journeys, completing a gap assessment prior to the 3PAO audit helps make for a more predictable audit and authorization process. 

“I would prefer that the gap assessment be performed as far in advance as reasonably possible,” Hamlin said. “The quicker that you can understand what those gaps are, the more you can breathe and the more strategic you can be in your decision-making,” he advised.

“Collaboration with the firm you hire to implement, such as BARR, and the firm you hire to do the 3PAO assessment, like 360 Advanced, and with the PMO [FedRAMP Program Management Office] and with the sponsoring agency—it’s really imperative to the success of this,” Francis said. “It will be so much smoother if we’re all on the same page and marching in the same direction.”

To hear the full discussion, watch the webinar now on-demand.

The BARR team has more than a decade of experience supporting CSPs through the complexities of FedRAMP readiness, authorization, and continuous monitoring. Contact us today to learn more.