A-LIGN’s FedRAMP Services
HOVER OVER FOR MORE INFORMATION
Key Benefits of FedRAMP Certification
Satisfies multiple federal requirements with one FedRAMP assessment leading to significant cost, time and resource savings
Proves that you meet federal requirements for cloud services and enhances transparency between the government and CSPs
The FedRAMP Process
The FedRAMP authorization process is rigorous, and the assessment must be performed by a certified 3PAO. There are two ways to authorize a cloud service through FedRAMP: An ATO issued by an individual Agency and a JAB provisional authorization.
Improved trustworthiness, reliability, consistency and quality of the Federal security authorization process
Designed specifically to meet the needs of CSPs
Federal organizations are required to only use cloud service offerings that are FedRAMP-authorized when purchasing cloud services
Enables your organization to do business with one ATO across all federal agencies
FedRAMP
The Definitive Guide
FedRAMP might be right for you if:
FedRAMP was designed to provide a standardized security framework for organizations providing cloud services to Federal entities.
We all have a role to play in our nation’s security. As cyber threats become more common and disruptive, having a robust Federal cybersecurity stack is more important than ever and requires collaboration among multiple providers. Attaining FedRAMP compliance doesn’t just position you to win more bids, it helps us defend the integrity of our nation’s digital infrastructure.
What is FedRAMP
Benefits of FedRAMP
The FedRAMP Process
As a Top 3 FedRAMP Assessor and C3PAO, the
A-LIGN team is ready to assist you with any of your FedRAMP needs, or any of your cybersecurity and compliance needs. Complete the contact form and our team will reach out within 24 hours.
Talk to an Expert
Key Benefits of FedRAMP Certification
Are you ready to get started with FedRAMP?
Are you ready to get started with FedRAMP?
Contact us
The Definitive Guide
You manage or store data for US-based customers and business partners.
Your organization stores, processes and transmits federal information in the cloud.
Your organization is currently serving, or seeking to serve, cloud products or solutions to a federal agency.
Your organization wants to establish confidence in the security of services beyond federal agencies.
Your organization is hosting Federal systems or if that is a primary focus of your growth strategy.
1
2
3
4
5
6
Contact Us
SOC 2 might
be right
for you if:
Consulting & Program Assistance
Advisory
Improved trustworthiness, reliability, consistency and quality of the Federal security authorization process
Designed specifically to meet the needs of CSPs
Enables your organization to do business with one ATO across all federal agencies
Federal organizations are required to only use cloud service offerings that are FedRAMP-authorized when purchasing cloud services
Satisfies multiple federal requirements with one FedRAMP assessment leading to significant cost, time and resource savings
Protects sensitive information stored in the cloud
1
2
3
5
6
4
Contact Us
12
Business Continuity and Disaster Recover
Outlines a plan to continue operations in the event of a disaster that disrupts the business's ability to function
11
Information, Software and System Backup
Defines requirements for backup of company data and systems, including frequency, location, and retention
10
Acceptable Use Policy
Communicates how internal and external users should use information and company assets appropriately
9
Data Classification Policy
Establishes how data is classified based on its level of sensitivity, value and criticality to the organization
8
Vendor Management Policy
Highlights the risks posed by vendors that perform key processes, and how to mitigate those risks
7
Logging and Monitoring Policy
Describes how user activity is logged, as well as how those logs are monitored and reviewed
6
Incident Response Policy
Controls the rules security personnel follow when a security incident occurs, such as malware or a DoS attack
5
Risk Assessment and Mitigation Policy
Describes how periodic assessments are conducted to identify risks, analyze them, and determine mitigation strategies
4
Change Management Policy
Outlines how changes to IT infrastructure and applications are planned, documented, managed, and controlled
3
Password Policy
Describes the standards for creating strong passwords, protecting those passwords, and changing them frequently
2
Access Control Policy
Dictates how logical and physical access to company systems is provisioned, managed, and revoked
1
Information Security Policy
Ensures company assets and data are appropriately protected from unauthorized access and disclosure
FedRAMP stands for the Federal Risk and Authorization Management Program and is a government program that provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services used by federal agencies to store, process and transmit federal information.
The program is based on the Risk Management Framework (RMF) that implements the FISMA (Federal Information Security Modernization Act) requirements and NIST SP 800-53.
FedRAMP is specific to cloud service providers (CSPs) and federal agencies that plan to use cloud service offerings (CSOs):
Any organization that is currently serving, or seeking to serve, cloud products or services to a federal agency will need to successfully complete a full FedRAMP assessment.
FedRAMP allows CSPs to be assessed and authorized by federal agencies.
FedRAMP was designed to support the federal government’s cloud-first initiative.
What is FedRAMP?
Our independent team of FedRAMP advisors helps your organization prepare for your upcoming FedRAMP assessment and authorization. We assist with implementing appropriate controls, documenting control implementation within the SSP package, and consulting assistance throughout the FedRAMP process.
Advisory
Consulting & Program Assistance
We review your environment and determine if it is technically capable of meeting FedRAMP requirements resulting in a FedRAMP Readiness Assessment Report (RAR). This assessment can be used to understand technical gaps, be submitted to FedRAMP to achieve the FedRAMP “Ready” designation on the Marketplace, or used to apply for JAB Sponsorship.
Preparation
Readiness Assessment
We determine if you have the proper controls in place and assess them to ensure you meet FedRAMP requirements by using Federal Information Process Standard (FIPS) Models for low, moderate, or high-impact organizations.
Authorization
Security Assessment
We review and assess any changes that may impact your compliance to FedRAMP requirements for FedRAMP authorized systems through SCR assessments as needed.
Continuous Monitoring
Annual Assessments
(HOVER OVER FOR MORE INFORMATION)
Significant Change Request Assessments
We provide manual assessments that include penetration testing, select control assessments, systems scanning, and more.
FedRAMP Controls
Control Categories
Depending on the designated level of impact or risk for your organization’s system, a specific number of controls must be met to receive your ATO. Below is a list of categories that individual controls could fall under.
Controls Levels
Determining which Federal Information Processing Standard (FIPS) Model your Cloud Service Offering (CSO) should follow is critical to the compliance process. Below are the levels your organization needs to consider:
Low-impact systems that would only have a limited negative effect on the organization if compromised.
Low implementation
Medium-impact systems that would cause a serious negative effect on an organization if compromised.
Moderate implementation
125 controls needed
325 controls needed
High-impact systems operating critical government functions. Any data breach or security compromise would cause catastrophic damage.
High implementation
421 controls needed
(HOVER OVER FOR MORE INFORMATION)
Contact us
The FedRAMP Process
The FedRAMP authorization process is rigorous, and the assessment must be performed by a certified 3PAO. There are two ways to authorize a cloud service through FedRAMP: An ATO issued by an individual Agency and a JAB provisional authorization.
JAB Process
Agency Process
Overview
Overview
Request a Consultation
CSPs can use the Readiness Assessment Report (RAR) for a
self-assessment to prepare for FedRAMP, or a FedRAMP Ready assessment with A-LIGN.
These assessments are intended to help CSPs understand any gaps in their current architectures or capabilities prior to beginning a FedRAMP assessment, and explains the effort necessary to secure their systems according to FedRAMP requirements.
How to Prepare for FedRAMP Certification
What is FedRAMP?
You manage or store data for US-based customers and business partners.
Your organization stores, processes and transmits federal information in the cloud.
Your organization is currently serving, or seeking to serve, cloud products or solutions to a federal agency.
Your organization wants to establish confidence in the security of services beyond federal agencies.
Industries Conducting FedRAMP Assessments
Industries Conducting FedRAMP Assessments
Consulting & Program Assistance
Our independent team of FedRAMP advisors helps your organization prepare for your upcoming FedRAMP assessment and authorization. We assist with implementing appropriate controls, documenting control implementation within the SSP package, and consulting assistance throughout the FedRAMP process.
Readiness Assessment
We review your environment and determine if it is technically capable of meeting FedRAMP requirements resulting in a FedRAMP Readiness Assessment Report (RAR). This assessment can be used to understand technical gaps, be submitted to FedRAMP to achieve the FedRAMP “Ready” designation on the Marketplace, or used to apply for JAB Sponsorship.
Preparation
Security Assessment
We determine if you have the proper controls in place and assess them to ensure you meet FedRAMP requirements by using Federal Information Process Standard (FIPS) Models for low, moderate, or high-impact organizations.
Authorization
Annual Assessments
We provide manual assessments that include penetration testing, select control assessments, systems scanning, and more.
Continuous Monitoring
Significant Change Request Assessments
We review and assess any changes that may impact your compliance to FedRAMP requirements for FedRAMP authorized systems through SCR assessments as needed.
FedRAMP Controls
Control Categories
Depending on the designated level of impact or risk for your organization’s system, a specific number of controls must be met to receive your ATO. Below is a list of categories that individual controls could fall under.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Access Control
Awareness and Training
Audit and Accountability
Security Assessment and Authorization
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
System Security Planning
Personnel Security
Risk Assessment
System and Services Acquisition
System and Communications Protection
System and Information Integrity
Determining which Federal Information Processing Standard (FIPS) Model your Cloud Service Offering (CSO) should follow is critical to the compliance process. Below are the levels your organization needs to consider:
Controls Levels
Medium-impact systems that would cause a serious negative effect on an organization if compromised.
Moderate implementation
325 controls needed
High-impact systems operating critical government functions. Any data breach or security compromise would cause catastrophic damage.
High implementation
325 controls needed
How to Prepare for FedRAMP Certification
CSPs can use the Readiness Assessment Report (RAR) for a self-assessment to prepare for FedRAMP, or a FedRAMP Ready assessment with A-LIGN.
These assessments are intended to help CSPs understand any gaps in their current architectures or capabilities prior to beginning a FedRAMP assessment, and explains the effort necessary to secure their systems according to FedRAMP requirements.
1
A-LIGN’s FedRAMP Services
Access Control
Awareness and Training
Audit and Accountability
Security Assessment and Authorization
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
System Security Planning
Personnel Security
Risk Assessment
System and Services Acquisition
System and Communications Protection
System and Information Integrity
