Updated FedRAMP Readiness Assessment Report Guide for 3PAOs – a Summary
Is a Cloud Service Provider (CSP) ready to undergo the extensive FedRAMP authorization process? That’s what the FedRAMP Readiness Assessment Report (RAR) intends to find out.
A Third Party Assessment Organization (3PAO) will leverage the RAR to document and validate a CSP’s full implementation of the technical capabilities required to meet FedRAMP security requirements. Let’s take a look at what’s involved in a FedRAMP Readiness Assessment and the steps outlined in the updated FedRAMP RAR guide.
What Does a FedRAMP Readiness Assessment Entail?
Completing a RAR requires a 3PAO, such as A-LIGN, to:
- Confirm full implementation of the Cloud Service Offering’s (CSO) technical capabilities
- Understand how a CSO works and operates
- Validate what is implemented within the CSO
- Understand the key functionalities of the CSO and document the RAR in a way that is comprehensible by agency customers that may not have a strong technical background
- Verify that the stated authorization boundary of the CSO and the data flows within the system are practical, secure, and logical
While a Readiness Assessment is intended to determine a CSO’s readiness to achieve FedRAMP authorization, it does not guarantee it. CSPs can use the process as an opportunity to discover and remediate any deficiencies in a CSO’s capabilities, as well.
The RAR must specifically, clearly, and succinctly provide an overview of the system as well as a subjective summary of a CSO’s overall readiness. This includes rationale such as notable strengths and other areas for consideration. The 3PAO should answer RAR requirements and questions, stating what they found (observations and evidence) during their review, and, most importantly, how they determined whether a CSP adequately addresses the question area.
In a thorough 19-page document, FedRAMP provided updated guidance as well as templates for 3PAOs evaluating CSPs for readiness. Below, you’ll find a summary of the 12 steps 3PAOs should follow when preparing a RAR as outlined in the new guidance.
1. Validate the Authorization Boundary
Assessing any CSO for readiness begins by determining whether the offering has a clearly defined and maintainable authorization boundary. It falls on 3PAOs to perform full authorization boundary validation to ensure nothing is missing from the CSP identified boundary, and all included items are present and part of the system boundary.
This step also extends to the need for 3PAOs to conduct a discovery scan. This is intended to identify operating systems running on the network then map them to IP addresses, identify open ports and services, and gather rudimentary information on targeted hosts.
2. Identify All Data Flows and Stores Within and Throughout the Authorization Boundary
A 3PAO must validate the data flow diagrams (DFDs) and provide a written description of the data flows. Each DFD must be high resolution, reflect the same components as the authorization boundary diagram, and explicitly identify every location where federal data and metadata is in relation to the 3PAO system authorization boundary.
3. Determine Leveraged FedRAMP Authorizations
For a FedRAMP-leveraged CSO, a 3PAO must provide the specific details regarding this relationship. The leveraged offering must be listed on the FedRAMP Marketplace with a status of Authorized (not FedRAMP Ready or In Process). An Authorized status can only be achieved upon approval of a full assessment package by the Joint Authorization Board (JAB) or the Project Management Office (PMO). If a 3PAO is assessing a SaaS then it must ensure that subscriptions to underlying services (IaaS, PaaS) are accurately documented.
4. Determine External and Corporate Systems and Services
Within the RAR, a 3PAO must indicate a CSP’s connections to external systems and services, including corporate systems and services that are not part of the authorization boundary. It must divulge the use of third-party providers and external services / systems lacking FedRAMP authorization at the time of RAR completion. The 3PAO will also need to provide a mini analysis of the RAR external leveraged services and its risks.
5. Application Programming Interfaces (APIs)
While they are connections, APIs have their own category within the RAR. 3PAOs must identify each API a CSO uses.
6. Assess and Describe the Strength of the Physical and/or Logical Separation Measures within the System
A 3PAO must make an assessment of physical and/or logical separation measures based on very strong evidence, such as the review of any existing penetration testing results, or an expert review of the products, architecture, and configurations. In the absence of a penetration test, a 3PAO must provide a rationale for being able to prove that there is adequate segregation of tenants and data. 3PAOs must also analyze all border devices to ensure they provide appropriate segregation from other systems, and describe the methods used to verify the strength of separation.
7. Ensure Federal Mandates Are Met
3PAOs assessing Moderate and High baseline systems must ensure six federal mandates are met.
- Are FIPS 140-2 Validated cryptographic modules (IAW SC-13) consistently used everywhere cryptography is required? This includes all SC-8, SC-8(1), and SC-28 required encryption.
- Does the system fully support user authentication via Agency Common Access Card (CAC) or Personal Identity Verification (PIV) credentials?
- Is the system operating at Digital Identity Level 3?
- Can the CSP consistently remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days?
- Does the CSP and system meet Federal Records Management Requirements, including the ability to support record holds, National Archives and Records Administration (NARA) requirements, and Freedom of Information Act (FOIA) requirements?
- Does the system’s external DNS solution support DNS Security Extensions (DNSSEC) to provide origin authentication and integrity verification assurances?
The answer must be “yes” for all six questions before submitting the RAR.
8. Ensure DNSSEC Is in Place
It is incumbent upon the 3PAO to verify that the external authoritative DNS server replies with valid Domain Name System Security Extensions (DNSSEC) responses. Additionally, any external domain used to access a CSO must be verified as registered with a DNSSEC signature. The authoritative server is signed by the Top-Level Domain server, which is in turn signed by the root server. The entire signature chain will be checked by the recursive server, so any broken signature breaks the whole chain.
9. Verify FIPS 140-2 Validated Encryption within and throughout the System Boundary
For FIPS 140-2 validated encryption, all Moderate and High-level federal data and metadata must be encrypted for all DAR and DIT within and throughout the system boundary. CSPs or vendors using FIPS 140-2 validated modules are required to have a certified security policy stating how their products must be used to ensure their security.
10. Assess Security Capabilities Sections
3PAOs must conduct assessments of several of the system’s technical, management, and operational capabilities via a combination of interviews, observations, demonstrations, examinations, and on-site visits. The assessment must be done based on an accurate ABD and DFD and should not rely on a CSP’s written documentation and interviews.
11. Complete Executive Summary and Ensure Alignment with Entire Document
The Executive Summary must contain a number of items, including overall alignment with the NIST definition of cloud computing and a self-service portal. This document should also note whether the CSP is pursuing a JAB P-ATO or an Agency ATO, while highlighting the CSPs strengths and weaknesses. The executive summary also asks that 3PAOs describe risks associated with interconnections and with the external systems and services that are not FedRAMP Authorized. Organizations should be sure their final Executive Summary is exact, concise, easily understood and free of any marketing content that promotes their products or services.
12. Complete Each Security Control Capability Statement to Include the 3PAO Test Methodology
To successfully complete a RAR, 3PAOs must complete each security control capability statement in every section of the RAR, and convey the capability, supporting evidence, and any missing elements. The capability cannot simply be a copy and paste from the System Security Plan (SSP) but rather a fully addressed question and then the 3PAO should indicate how they interviewed, examined, and or observed the capability in place. Throughout the security control capability statement, we suggest a 3PAOs only answer “yes” if the answer is consistently “yes.” Partially implemented areas should be answered “no” with a description of what is missing to achieve a “yes”.
A-LIGN Can Help
Does the FedRAMP certification process seem overwhelming? A-LIGN can help by making the process seamless. As a top five FedRAMP assessor, we understand the FedRAMP journey from readiness to authorization.
Get in touch with us to learn how we can guide you to authorization.