Skip to main content

Focus on FedRAMP

Common Challenges with the Readiness Assessment Report

Thank you to all our vendors who have participated in our FedRAMP Ready process by using the Readiness Assessment Report (RAR). The RAR is intended to help vendors, the Joint Authorization Board, and Agencies have a snapshot of the security posture and capabilities of a cloud service without the full investment of going through the full FedRAMP process of testing and documentation.

To learn more about why a CSP might want to become FedRAMP Ready, check out our previous RAR blog post here.

When a 3PAO completes and submits the RAR on behalf of their CSP to the FedRAMP PMO, the FedRAMP will either approve or provide feedback on the RAR. If the RAR is approved, the CSP will be deemed “FedRAMP Ready”.

On average 65% of RARs are approved by the FedRAMP PMO for FedRAMP Ready status. To support the successful completion and approval of RARs moving forward, we’ve captured a series of best practices based on common challenges we have seen in our reviews.

  • Administrative Reminders
    • 3PAOs need to sign the attestation

    • Provide consistent dates throughout the document including the front page, file name, and header

    • Avoid typos and confusing language and grammar

    • Submit the final version of the document which should be the 3PAOs best effort in addressing the RAR template requirements and guidance

    • The FedRAMP PMO does not accept low-categorized service RARs

  • Address All Requirements and Follow Guidance

    • Address all Executive Summary requirements

    • Respond fully to all questions (including areas of the Cloud Service Provider and Cloud Service Offering’s non-compliance)

    • Provide complete descriptions, substantive supporting evidence and justifications (where needed)

    • Pay attention to the guidance

  • Provide clear and consistent authorization boundaries and descriptions (RAR Template Section 3.2)

    • Show connections to other systems

    • Be consistent throughout the RAR in showing vendor dependencies such as interconnections

    • Ensure the authorization boundary diagram depicts the authorization boundary (by showing a box around the system components within the boundary)

    • Ensure the authorization boundary diagram is readable

    • Adequately describe boundary exclusions

  • Provide clear data flows with adequate detail to address all RAR data flow requirements, including both internal (CSP) and external (Customer/Other) information flows.

Also, please be sure to follow the correct protocol when submitting the RAR:

  • The 3PAO owns the completion and submission of the RAR, and the responses to FedRAMP’s inquiry

  • For Moderate RARs:
    • The 3PAO should provide a notice of their plan to submit a RAR along with a request for access to MAX (FedRAMP’s secure repository) and a subdirectory.

    • This should occur at least 2 weeks in advance of submission by emailing info@fedramp.gov.

    • Inform FedRAMP of your RAR submission, on the day of submission, to MAX by emailing info@fedramp.gov.

  • For High RARs:
    • The 3PAO should provide notice of their plan to submit a RAR at least 2 weeks in advance of submission by emailing info@fedramp.gov.

    • The PMO will provide specific instructions on how to submit the RAR.

If you have specific questions on your RAR, please submit them to info@fedramp.gov and thank you for your participation in the process!