Faster FedRAMP: Preparing for RAR Success
By Jamie Graf
What is a RAR?
A FedRAMP Readiness Assessment Report (RAR) demonstrates a cloud service provider’s (CSP) capability to meet FedRAMP security requirements, and that they are ready to begin the FedRAMP authorization process. The RAR describes the CSP’s security and organizational processes, focusing on key capabilities rather than documentation. It is designed to validate the operational security capabilities of a CSP through a “pre-audit” performed by a third-party assessment organization (3PAO). This pre-audit also helps speed the full accreditation process by giving the government a clearer understanding of a provider’s technical capabilities up-front in the assessment process, Once approved by the FedRAMP Program Management Office (PMO), the CSP is listed in the Marketplace as FedRAMP Ready.
Consider engaging an Advisor
The path to FedRAMP authorization requires dedicating substantial resources to the effort and should not be undertaken without consideration of the time and expense involved. The old saying, “You don’t know what you don’t know,” was never more true as you survey the volumes of FedRAMP documentation and reporting that looms at the outset of the authorization process. Enlisting the help of an experienced FedRAMP advisor as you prepare for the RAR phase can be critical to achieving a FedRAMP Ready designation, clearing that first hurdle and setting you on a firm path toward full authorization. The strategic advice and guidance that a FedRAMP advisor provides helps you avoid common pitfalls and mistakes, and puts you in the best position to reach FedRAMP Ready status quickly. FedRAMP advisor-assisted planning and preparation ensures greater chances of authorization success: an Agency Authority to Operate (ATO).
A formal preparation and kick-off phase for your FedRAMP initiative ensures that roles, responsibilities, and schedule are clearly understood and agreed upon by all stakeholders. This preparation lays the groundwork for the readiness assessment as well as the full assessment down the road. With help from a FedRAMP advisor, CSPs can avoid common mistakes or oversights during this phase. Planning and communication early in the process helps avoid disruptions that can impact operations or the performance of assessment efforts.
Typical preparation activities include the following:
|CSP Responsibilities||FedRAMP Advisor|
|Assemble FedRAMP project team
Define system boundary
Begin development of SSP
Build control capabilities
|Provide strategic FedRAMP advice and guidance
Consult on technical control or solution implementation
Develop FedRAMP-required plans and documentation
It’s All About the System Boundary
For CSPs, a critical element of assessment preparation is defining the system boundary. An accurate illustration of the system authorization boundary consists of network and architecture diagrams and a written description of the boundary. Each diagram must clearly define services, software, and virtual components within the boundary and must be validated against the inventory. The written description must clearly define shared corporate resources, any external services (including leveraged services), and all systems related to but excluded from the boundary. Data flow diagrams must clearly identify where Federal data is processed, stored, and transmitted; describe how data moves in and out of the system boundary; identify privileged, non-privileged, and customer access to data; and detail how inbound and outbound traffic is managed. A written description of each data flow is also required.
Accurately defining and documenting the system boundary early in the FedRAMP process is key to achieving FedRAMP Ready status and ultimately achieving FedRAMP authorization. An improperly defined boundary can cause significant problems and delays later in the FedRAMP process.
Because FedRAMP is a complex and comprehensive assessment of CSP security processes and documentation, the more effective the preparation, the better the results will ultimately be. Because SecureIT has helped numerous clients on their FedRAMP journeys, we understand the complexities of the program, and the importance of FedRAMP authorization for CSPs. We work with our clients to maximize their efforts to achieve a FedRAMP Ready designation, and to ultimately secure a JAB P-ATO or Agency-sponsored ATO. Whether you are at the beginning of your journey to FedRAMP authorization and want to start with a well-defined plan, or you’re already ready for a full 3PAO assessment, SecureIT can provide the FedRAMP expertise and knowledge you need.