In the past, we have blogged about the Federal Risk Authorization and Management Program’s (FedRAMP) push to save time and money by verifying the security of cloud service providers (CSPs) using a standardized review that all agencies can accept.  Third party assessment organizations (3PAOs) will be at the center of the program, granting CSPs a security certification based on a standardized, consistent assessment.  But times have changed since our last post on the topic – 3PAOs have been chosen, and KCG is among the select organizations granted authority to accredit CSPs as certifiably secure. 

3PAOs are able to conduct official assessments to grant CSPs accreditation; they can also perform ‘readiness reviews.’  These reviews are designed to tell CSPs exactly what red-flags would come up during the official assessment process, so the provider can fix it and later pass the official assessment with flying colors.  

If you are a CSP, there is likely to be a readiness review in your near future.  Here’s what you should know about the process:

1.   Every CSP needs a readiness review.  Let’s face it…no one likes to be caught off guard – and especially not when it really counts.  Going through the readiness review process will prepare you and your company for what’s to come before, during and after the assessment process.

2.   A System Security Plan (SSP) must be developed.  The SSP documents and describes how required security controls are implemented within the cloud information system and its environment of operation.  The 3PAO will develop an SSP that will take into consideration the CSP’s dependencies on other providers in the cloud stack.

3.   System boundaries will need to be established.  Establishing clear system boundaries in the SSP and fine tuning the CSP’s scope before submitting a FedRAMP initiation request will only increase the likelihood of becoming certified.  Due to the development of live migrations, and the confusion that often accompanies them, the FedRAMP program recommends that CSPs discuss their live migration strategy with 3PAOs.

Readiness reviews educate organizations about FedRAMP standards and compliance requirements.  Throughout the process, CSPs will be coached on the process, required artifacts, 3PAO assessment preparation and continuous monitoring.  In selecting a 3PAO vendor to conduct the review, CSPs should consider the vendor’s experience with NIST and their understanding of cloud architectures.  By choosing an experienced and well-educated 3PAO vendor, the CSP will go into the official assessment process armed with the best preparation possible.