fedramp-compliance

Linford & Company offers FedRAMP compliance certification (primarily known as FedRAMP authorization) services to help organizations ensure they are compliant with cloud security controls and requirements of the FedRAMP program.

FedRAMP OVERVIEW

Recognizing the benefits of cloud computing and the need to reduce federal IT expenditures, the federal government introduced the “Cloud First” policy with a primary focus for federal agencies to migrate to commercial cloud technologies where practical. With the migration to cloud services, a means for federal agencies to manage risk in the commercial cloud service provider (CSP) environments was needed. As a result, the Federal Risk and Authorization Management Program, or FedRAMP, was developed.

Through the implementation of a rigorous assessment framework, FedRAMP’s goal is to enable agencies to transition to secure and reliable cloud-based solutions. To provide cloud services to the federal government, CSPs must demonstrate compliance with the NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and FedRAMP specific security controls. Compliance assessments are performed by Third Party Assessment Organizations (3PAO) accredited by the American Association for Laboratory Accreditation (A2LA).

FedRAMP ASSESSMENT SERVICES

Linford & Company, an accredited FedRAMP 3PAO, performs FedRAMP compliance assessments and certification services for Cloud Service Providers (CSP) seeking an Agency or Joint Authorization Board (JAB) Authorization to Operate (ATO). Such activities include (but are not limited to) the following:

  • Pre-assessment/gap analysis of a CSP’s readiness for the FedRAMP process to include boundary definition review, documentation review and high-priority control implementation reviews
  • Assessment planning and development of the Security Assessment Plan (SAP)
  • Assessment/testing execution against the NIST 800-53 controls and FedRAMP control enhancements
  • Assessment reporting and development of the final package for submission to the FedRAMP Program Management Office (PMO)/Federal Agencies (as applicable)
  • Continuous monitoring of the system after achieving an ATO

The assessment of FedRAMP security controls and the associated supporting documentation, policies & compliance procedures must be certified by an independent 3PAO assessor with a background and experience with the FedRAMP controls, the assessment processes and the ability to document compliance with the controls.

Linford & Company personnel have over 20 years of combined experience leading successful security engineering efforts for highly complex programs supporting the federal government. We have extensive experience documenting, engineering, testing and delivering systems to the federal government under the auspices of NIST 800-53 which forms the foundation of the FedRAMP control set. For additional information or to work with us in the FedRAMP process, please contact us.

WHY WOULD YOUR ORGANIZATION WANT A FedRAMP COMPLIANCE ASSESSMENT?

Your organization may have completed other security assessments (e.g. SOC, PCI), but you will find that a FedRAMP compliance assessment will be unique when compared to the other assessment methodologies or frameworks. FedRAMP compliance assessments are very extensive and look across the entire spectrum of people, processes and technology for your cloud environment. It requires hundreds of pages of detailed documentation and a continued commitment to maintaining the control environment through a rigorous continuous monitoring effort.

So why would you want to commit your organization to such a difficult task? One important reason is that it significantly expands the market for your cloud service. FedRAMP compliance assessments and certifications are designed as a “do once, use multiple times” process. Once your organization obtains an Authorization to Operate (ATO) through a federal agency (or the Joint Authorization Board), this authorization can be leveraged by additional federal agencies, thus allowing your cloud service to be marketed across the wide spectrum of federal agencies.

Schedule a Consultation