SlideShare a Scribd company logo

Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessments

Schellman & Company
Schellman & Company

FedRAMP is the federal government's risk and security assessment program for cloud-based services as part of the cloud-first initiative, and is designed to make the assessment process more efficient by providing a "do once, use many times" framework. If you work with or want to work with federal agencies, your organization will need to be FedRAMP compliant. On this webinar, you will: • Learn the background and overview of the FedRAMP program • Take a deep dive of the assessment process • Discover the benefits and challenges companies experience during the assessment process

Government & Nonprofit
1 of 20
Download to read offline
Webinar – What you should know about FedRAMP assessments | 1 Work with Federal Agencies? Here's What You Should Know About FedRAMP Assessments
Webinar – What you should know about FedRAMP assessments | 2 Contents • FedRAMP Overview • Setting the Stage • Assessment Process • Additional Topics and Summary
Webinar – What you should know about FedRAMP assessments | 3 What is FedRAMP?
Webinar – What you should know about FedRAMP assessments | 4 What is FedRAMP? The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments. Launched in July 2012 FedRAMP replaces what was previously a decentralized authority to operation (ATO) model where each agency performed their own assessment
Webinar – What you should know about FedRAMP assessments | 5 Understanding FISMA vs. FedRAMP Is a: Applies to: Utilizes for guidance: Assessed by: FISMA Law Government agencies FIPS 199 FIPS 200 NIST SP 800-53 An agency, which may use or rely on the work of an outside auditor FedRAMP Program for managing assessments and ongoing compliance Cloud providers that host or plan to host for government agencies FedRAMP modified NIST 800-53 standards FedRAMP specific deliverables and templates An accredited Third Party Assessment Organization (3PAO) While often confused, FISMA is a law for agencies, FedRAMP is an audit program for cloud service providers (CSPs)
Webinar – What you should know about FedRAMP assessments | 6 Setting The Stage: Scope & Agency Involvement
Webinar – What you should know about FedRAMP assessments | 7 First Decision JAB vs Agency Sponsor • Option 1 - JAB Provisional Authorization (P-ATO) – FedRAMP Ready Assessment Required – Documentation reviewed by GSA, DoD, and DHS – Pros: Perceived as government-wide; No Agency Sponsor Required – Con: Lengthier process
Webinar – What you should know about FedRAMP assessments | 8 First Decision JAB vs Agency Sponsor • Option 2 - Agency Authority to Operate (ATO) – All documentation reviewed by single agency – Most common approach
Webinar – What you should know about FedRAMP assessments | 9 Estimated Timeframes (Provided by FedRAMP PMO) System Security Plan Security Assessment Plan Testing SAR & POA&M Review Authorize System Security Plan Security Assessment Plan Testing SAR & POA&M Review Authorize Quality of documentation will determine length of time and possible cycles throughout the entire process JAB P-ATO Agency ATO 6 months + 4 months +
Webinar – What you should know about FedRAMP assessments | 10 Cloud Delivery Models Drive Scope https://www.e-education.psu.edu/cloudGIS/node/91 Cloud IaaS Provider Responsibilities Leveraging a FedRAMP Authorized IaaS provider allows a SaaS provider to “carve out” those controls and only audit against that which is their responsibility.
Webinar – What you should know about FedRAMP assessments | 11 The System Security Plan (SSP) • Template available on www.fedramp.gov • Average 400-500 pages in length • Key Components: – System boundaries – Detailed control descriptions for each of the NIST 800-53 control families (section 13+) The CSP is 100% responsible for documenting the SSP and maintaining the controls on an ongoing basis.
Webinar – What you should know about FedRAMP assessments | 12 The Assessment Process
Webinar – What you should know about FedRAMP assessments | 13 The 3PAO Assessment Process • Two stages: Planning (SAP); Testing (SAR) • Assessment activities include: – Credentialed vulnerability scanning / observation – Penetration testing – Manual controls inspection including interviews, documentation review, and technical configuration review • Findings and communication – Real-time documentation and coordination between 3PAO and CSP – Development of POAMs by CSP
Webinar – What you should know about FedRAMP assessments | 14 Continuous Monitoring • 97 core controls for moderate + Agency specified ~ 50% controls • What happens after ATO
Webinar – What you should know about FedRAMP assessments | 15 Continuous Monitoring • Control requirements – Continuous – Weekly (e.g. log monitoring) – Monthly (e.g. scanning) – Quarterly (e.g. account review) – Annually
Webinar – What you should know about FedRAMP assessments | 16 Continuous Monitoring • 3PAO annual assessment – Assess core controls + % of all other controls (Agency-specified) – Review POAMs – Scanning (and/or observation of scanning) – Penetration testing
Webinar – What you should know about FedRAMP assessments | 17 Additional Topics and Summary
Webinar – What you should know about FedRAMP assessments | 18 FedRAMP+ & ITAR • Department of Defense – DoD uses a FedRAMP + model w/ DoD SRG/STIG guidance – FedRAMP controls plus additional controls at designated levels • Level 2 is aligned w/ FedRAMP • Level 4 adds an incremental 35 controls • NIST 800-171 – Standards for Controlled Unclassified Information (CUI) – Aimed primarily at contractors • ITAR – Some agencies require only US persons access to federal systems – While not a requirement for FedRAMP some systems and support models are built for ITAR compliance
Webinar – What you should know about FedRAMP assessments | 19 1H 2016 Updates • Current State: – 31 JAB ATOs (4-High) – 45 CSPs granted an initial Agency ATO • For example, AWS GovCloud has received 15 individual Agency authorizations for the same system • FedRAMP Ready launched as part of the FedRAMP Accelerated process for JAB • High baseline launched • New Templates
Webinar – What you should know about FedRAMP assessments | 20 Learn more: www.schellmanco.com/fedramp

Recommended

FedRAMP 3PAO Training
FedRAMP 3PAO Training FedRAMP 3PAO Training
FedRAMP 3PAO Training 1ECG
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)GovCloud Network
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 

Recommended

FedRAMP 3PAO Training
FedRAMP 3PAO Training FedRAMP 3PAO Training
FedRAMP 3PAO Training 1ECG
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)GovCloud Network
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuitymascot4u
 
Customer identity and access management (ciam)
Customer identity and access management (ciam)Customer identity and access management (ciam)
Customer identity and access management (ciam)Nuvento Systems Pvt Ltd
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
IT Disaster Recovery Readiness
IT Disaster Recovery ReadinessIT Disaster Recovery Readiness
IT Disaster Recovery ReadinessBashar Alkhatib
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planingHanaysha
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)Akshat Gupta
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk ManagementRamiro Cid
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP CourseMasoud Ostad
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 
Microsoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudMicrosoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudDavid Ziembicki
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMPRay Potter
 

More Related Content

What's hot

Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuitymascot4u
 
Customer identity and access management (ciam)
Customer identity and access management (ciam)Customer identity and access management (ciam)
Customer identity and access management (ciam)Nuvento Systems Pvt Ltd
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
IT Disaster Recovery Readiness
IT Disaster Recovery ReadinessIT Disaster Recovery Readiness
IT Disaster Recovery ReadinessBashar Alkhatib
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planingHanaysha
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)Akshat Gupta
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk ManagementRamiro Cid
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB
 

What's hot (20)

Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuity
 
Customer identity and access management (ciam)
Customer identity and access management (ciam)Customer identity and access management (ciam)
Customer identity and access management (ciam)
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
IT Disaster Recovery Readiness
IT Disaster Recovery ReadinessIT Disaster Recovery Readiness
IT Disaster Recovery Readiness
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planing
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides
 
CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)CMMI Certification (Level 1-5)
CMMI Certification (Level 1-5)
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP Course
 
Agile security
Agile securityAgile security
Agile security
 
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain timesPECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
PECB Webinar: ISO 31000 - The Benchmark for Risk Management in uncertain times
 

Viewers also liked

Microsoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudMicrosoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudDavid Ziembicki
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMPRay Potter
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0Valdez Ladd MBA, CISSP, CISA,
 
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalMarch 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalTuan Phan
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityCitrix
 
Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2waizou
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Amazon Web Services
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceSchellman & Company
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveAlgoSec
 

Viewers also liked (20)

Microsoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private CloudMicrosoft CIO Summit - Government Private Cloud
Microsoft CIO Summit - Government Private Cloud
 
Amped for FedRAMP
Amped for FedRAMPAmped for FedRAMP
Amped for FedRAMP
 
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
FedRAMP - Federal Agencies & Cloud Service Providers meet FISMA 2.0
 
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalMarch 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.final
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
 
Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2
 
Presentation_Borne
Presentation_BornePresentation_Borne
Presentation_Borne
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 

Similar to Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessments

FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarTuan Phan
 
Failure Reporting, Analysis, Corrective Action System
Failure Reporting, Analysis, Corrective Action System Failure Reporting, Analysis, Corrective Action System
Failure Reporting, Analysis, Corrective Action System Ricky Smith CMRP, CMRT
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual MonitoringTripwire
 
How Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP ProjectsHow Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP ProjectsWorksoft
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsGovCloud Network
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Managementjadams6
 
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...TRI, the risk-based monitoring company
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperJason Cumberland
 
Maintenance strategy
Maintenance strategyMaintenance strategy
Maintenance strategygumma alsgier
 
Awareness of iatf 16949
Awareness of iatf 16949Awareness of iatf 16949
Awareness of iatf 16949Pavan Patil
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Webinar | GE & Stork | APM Best Practices - Mechanical Integrity
Webinar | GE & Stork | APM Best Practices - Mechanical IntegrityWebinar | GE & Stork | APM Best Practices - Mechanical Integrity
Webinar | GE & Stork | APM Best Practices - Mechanical IntegrityStork
 
Tool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsTool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsRicky Smith CMRP, CMRT
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP DrupalMike Lemire
 
Measuring and Improving MP1.ppt
Measuring and Improving MP1.pptMeasuring and Improving MP1.ppt
Measuring and Improving MP1.pptssuserf2880f
 
Operational testing with employee performance tracking for compliance
Operational testing with employee performance tracking for compliance Operational testing with employee performance tracking for compliance
Operational testing with employee performance tracking for compliance CloudMoyo
 

Similar to Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessments (20)

FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Fed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinarFed ramp agency_implementation_webinar
Fed ramp agency_implementation_webinar
 
Failure Reporting, Analysis, Corrective Action System
Failure Reporting, Analysis, Corrective Action System Failure Reporting, Analysis, Corrective Action System
Failure Reporting, Analysis, Corrective Action System
 
Continual Monitoring
Continual MonitoringContinual Monitoring
Continual Monitoring
 
How Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP ProjectsHow Verizon Uses Automation to Accelerate SAP Projects
How Verizon Uses Automation to Accelerate SAP Projects
 
Monitoring
MonitoringMonitoring
Monitoring
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conops
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Management
 
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
 
Dimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paperDimension data pursuing compliance in public cloud white paper
Dimension data pursuing compliance in public cloud white paper
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptx
 
Maintenance strategy
Maintenance strategyMaintenance strategy
Maintenance strategy
 
Awareness of iatf 16949
Awareness of iatf 16949Awareness of iatf 16949
Awareness of iatf 16949
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
t map brief
t map brieft map brief
t map brief
 
Webinar | GE & Stork | APM Best Practices - Mechanical Integrity
Webinar | GE & Stork | APM Best Practices - Mechanical IntegrityWebinar | GE & Stork | APM Best Practices - Mechanical Integrity
Webinar | GE & Stork | APM Best Practices - Mechanical Integrity
 
Tool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsTool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendations
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP Drupal
 
Measuring and Improving MP1.ppt
Measuring and Improving MP1.pptMeasuring and Improving MP1.ppt
Measuring and Improving MP1.ppt
 
Operational testing with employee performance tracking for compliance
Operational testing with employee performance tracking for compliance Operational testing with employee performance tracking for compliance
Operational testing with employee performance tracking for compliance
 

More from Schellman & Company

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Schellman & Company
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataSchellman & Company
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSchellman & Company
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesSchellman & Company
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP ComplianceSchellman & Company
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Schellman & Company
 

More from Schellman & Company (19)

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration Testing
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
 

Recently uploaded

call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...saminamagar
 
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...ResolutionFoundation
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.Christina Parmionova
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...narwatsonia7
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Club of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationClub of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationEnergy for One World
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...yalehistoricalreview
 
(多少钱)Dal毕业证国外本科学位证
(多少钱)Dal毕业证国外本科学位证(多少钱)Dal毕业证国外本科学位证
(多少钱)Dal毕业证国外本科学位证mbetknu
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Christina Parmionova
 
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...narwatsonia7
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26JSchaus & Associates
 
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls ServiceCall Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Servicenarwatsonia7
 
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...narwatsonia7
 

Recently uploaded (20)

call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
 
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...Powering Britain: Can we decarbonise electricity without disadvantaging poore...
Powering Britain: Can we decarbonise electricity without disadvantaging poore...
 
WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.WORLD CREATIVITY AND INNOVATION DAY 2024.
WORLD CREATIVITY AND INNOVATION DAY 2024.
 
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
No.1 Call Girls in Basavanagudi ! 7001305949 ₹2999 Only and Free Hotel Delive...
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Club of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological CivilizationClub of Rome: Eco-nomics for an Ecological Civilization
Club of Rome: Eco-nomics for an Ecological Civilization
 
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...Jewish Efforts to Influence American Immigration Policy in the Years Before t...
Jewish Efforts to Influence American Immigration Policy in the Years Before t...
 
(多少钱)Dal毕业证国外本科学位证
(多少钱)Dal毕业证国外本科学位证(多少钱)Dal毕业证国外本科学位证
(多少钱)Dal毕业证国外本科学位证
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.
 
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Punjabi Bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
Call Girls Service Race Course Road Just Call 7001305949 Enjoy College Girls ...
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
2024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 262024: The FAR, Federal Acquisition Regulations - Part 26
2024: The FAR, Federal Acquisition Regulations - Part 26
 
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 22 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls ServiceCall Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
Call Girls Service AECS Layout Just Call 7001305949 Enjoy College Girls Service
 
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Kirti Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Hot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Palam Vihar🔝 9953056974 🔝 escort Service
 
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
High Class Call Girls Bangalore Komal 7001305949 Independent Escort Service B...
 

Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessments

  • 1. Webinar – What you should know about FedRAMP assessments | 1 Work with Federal Agencies? Here's What You Should Know About FedRAMP Assessments
  • 2. Webinar – What you should know about FedRAMP assessments | 2 Contents • FedRAMP Overview • Setting the Stage • Assessment Process • Additional Topics and Summary
  • 3. Webinar – What you should know about FedRAMP assessments | 3 What is FedRAMP?
  • 4. Webinar – What you should know about FedRAMP assessments | 4 What is FedRAMP? The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments. Launched in July 2012 FedRAMP replaces what was previously a decentralized authority to operation (ATO) model where each agency performed their own assessment
  • 5. Webinar – What you should know about FedRAMP assessments | 5 Understanding FISMA vs. FedRAMP Is a: Applies to: Utilizes for guidance: Assessed by: FISMA Law Government agencies FIPS 199 FIPS 200 NIST SP 800-53 An agency, which may use or rely on the work of an outside auditor FedRAMP Program for managing assessments and ongoing compliance Cloud providers that host or plan to host for government agencies FedRAMP modified NIST 800-53 standards FedRAMP specific deliverables and templates An accredited Third Party Assessment Organization (3PAO) While often confused, FISMA is a law for agencies, FedRAMP is an audit program for cloud service providers (CSPs)
  • 6. Webinar – What you should know about FedRAMP assessments | 6 Setting The Stage: Scope & Agency Involvement
  • 7. Webinar – What you should know about FedRAMP assessments | 7 First Decision JAB vs Agency Sponsor • Option 1 - JAB Provisional Authorization (P-ATO) – FedRAMP Ready Assessment Required – Documentation reviewed by GSA, DoD, and DHS – Pros: Perceived as government-wide; No Agency Sponsor Required – Con: Lengthier process
  • 8. Webinar – What you should know about FedRAMP assessments | 8 First Decision JAB vs Agency Sponsor • Option 2 - Agency Authority to Operate (ATO) – All documentation reviewed by single agency – Most common approach
  • 9. Webinar – What you should know about FedRAMP assessments | 9 Estimated Timeframes (Provided by FedRAMP PMO) System Security Plan Security Assessment Plan Testing SAR & POA&M Review Authorize System Security Plan Security Assessment Plan Testing SAR & POA&M Review Authorize Quality of documentation will determine length of time and possible cycles throughout the entire process JAB P-ATO Agency ATO 6 months + 4 months +
  • 10. Webinar – What you should know about FedRAMP assessments | 10 Cloud Delivery Models Drive Scope https://www.e-education.psu.edu/cloudGIS/node/91 Cloud IaaS Provider Responsibilities Leveraging a FedRAMP Authorized IaaS provider allows a SaaS provider to “carve out” those controls and only audit against that which is their responsibility.
  • 11. Webinar – What you should know about FedRAMP assessments | 11 The System Security Plan (SSP) • Template available on www.fedramp.gov • Average 400-500 pages in length • Key Components: – System boundaries – Detailed control descriptions for each of the NIST 800-53 control families (section 13+) The CSP is 100% responsible for documenting the SSP and maintaining the controls on an ongoing basis.
  • 12. Webinar – What you should know about FedRAMP assessments | 12 The Assessment Process
  • 13. Webinar – What you should know about FedRAMP assessments | 13 The 3PAO Assessment Process • Two stages: Planning (SAP); Testing (SAR) • Assessment activities include: – Credentialed vulnerability scanning / observation – Penetration testing – Manual controls inspection including interviews, documentation review, and technical configuration review • Findings and communication – Real-time documentation and coordination between 3PAO and CSP – Development of POAMs by CSP
  • 14. Webinar – What you should know about FedRAMP assessments | 14 Continuous Monitoring • 97 core controls for moderate + Agency specified ~ 50% controls • What happens after ATO
  • 15. Webinar – What you should know about FedRAMP assessments | 15 Continuous Monitoring • Control requirements – Continuous – Weekly (e.g. log monitoring) – Monthly (e.g. scanning) – Quarterly (e.g. account review) – Annually
  • 16. Webinar – What you should know about FedRAMP assessments | 16 Continuous Monitoring • 3PAO annual assessment – Assess core controls + % of all other controls (Agency-specified) – Review POAMs – Scanning (and/or observation of scanning) – Penetration testing
  • 17. Webinar – What you should know about FedRAMP assessments | 17 Additional Topics and Summary
  • 18. Webinar – What you should know about FedRAMP assessments | 18 FedRAMP+ & ITAR • Department of Defense – DoD uses a FedRAMP + model w/ DoD SRG/STIG guidance – FedRAMP controls plus additional controls at designated levels • Level 2 is aligned w/ FedRAMP • Level 4 adds an incremental 35 controls • NIST 800-171 – Standards for Controlled Unclassified Information (CUI) – Aimed primarily at contractors • ITAR – Some agencies require only US persons access to federal systems – While not a requirement for FedRAMP some systems and support models are built for ITAR compliance
  • 19. Webinar – What you should know about FedRAMP assessments | 19 1H 2016 Updates • Current State: – 31 JAB ATOs (4-High) – 45 CSPs granted an initial Agency ATO • For example, AWS GovCloud has received 15 individual Agency authorizations for the same system • FedRAMP Ready launched as part of the FedRAMP Accelerated process for JAB • High baseline launched • New Templates
  • 20. Webinar – What you should know about FedRAMP assessments | 20 Learn more: www.schellmanco.com/fedramp