I recently held two mandatory webinars for our FedRAMP assessors (3PAOs) to go over our new Readiness Assessment Report (RAR). The RAR is a key component of FedRAMP Accelerated and the ability for the JAB to authorize providers in 3-6 months. These webinars clarified the intent of the RAR, gave some tips and cues, as well as described the power of the new FedRAMP Ready. In addition to sharing this with our 3PAOs, I want to share these key insights with everyone.
The intent of the RAR:
“Focus on capabilities and validate those capabilities”
This is a phrase I used over and over again during the course of the webinars. This is the intent of the RAR , this is not a document exercise, but instead, an initial test of the system’s capabilities.
“The intent is to _determine_ Readiness, not _guarantee_ it.”
We believe a majority of CSPs will not pass a readiness assessment the first time they engage with a 3PAO. This is not a bad thing , we want our CSPs to understand their capabilities prior to entering into a full FedRAMP Assessment. A RAR will allow a CSP to validate their capabilities or potentially identify any key gaps they must address before engaging with FedRAMP.
Some lessons learned from the first few FedRAMP Ready Assessments:
“A discovery scan of the system must be performed.”
The boundary is the hardest part of defining any system. Due to this, the RAR requires that 3PAOs complete a discovery scan of a system as well as analyze all border devices for network traffic and configurations. This is to ensure that a boundary is accurate. In addition to this 3PAOs have to ensure the boundary is not only accurate, but makes sense as well.
“Documentation mustn’t be complete, but at least started.”
CSPs do not have to have 100% completed documentation in order to be deemed FedRAMP Ready. However, any mature organization does have to have procedures and policies documented, they must have at least a good start on documenting their FedRAMP implementations. This demonstrates a maturity needed to be able to get through FedRAMP.
Some thoughts about the power of FedRAMP Ready:
“Ability to Sell to Federal Government”
An approved RAR by the FedRAMP PMO will give CSPs a better ability to attract Federal customers by detailing they have the right capabilities in place and have that validated by a third party assessor as well as the FedRAMP PMO. Approved RARs will be valid for one year from approval and made available to agencies via the FedRAMP secure repository.
“Required for JAB Prioritization”
If a CSP would like to be prioritized for a provisional authorization by the JAB, then an approved RAR will be the first go/no-go decision point for prioritization. This is a critical step in the requirements for going to the JAB.
Additionally, attached is some collateral we’ve created for our 3PAOs that summarizes the webinars and provides a lot of helpful information for 3PAOs as well as CSPs. We expect to continue to update the RAR as we continue to work through FedRAMP Accelerated , so, as always, please provide any input or feedback through email@example.com!
Email your completed Comment Matrix files to firstname.lastname@example.org with “Readiness Capabilities Recommendations” in the subject line.
|Document Name||Document Link|
|FedRAMP Readiness Assessments: A Guide for 3PAOs|