The United States Federal Risk and Authorization Management Program, known as FedRAMP, is one of the federal government’s most rigorous security compliance frameworks. It enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Any cloud services that hold federal data must be FedRAMP Authorized. FedRAMP prescribes the security requirements and processes cloud service providers must follow for the government to use their service.

The NIST 800-53 standard is a standard published by the National Institute of Standards and Technology (NIST), which creates and promotes the standards used by federal agencies to implement the Federal Information Security Management Act (FISMA) and manage other programs designed to protect information and promote information security. It is used as the information security standard for both FISMA and FedRAMP. The standard includes the following:

  1. Standards for categorizing information and information systems by mission impact.
  2. Standards for minimum security requirements for information and information systems.
  3. Guidance for selecting appropriate security controls for information systems.
  4. Guidance for assessing security controls in information systems and determining security control effectiveness.
  5. Guidance for certifying and accrediting information systems.

FedRAMP assessment solutions

E Com Security Solutions’ structured assessment methodology comprises three activity groups: readiness, initial, and annual assessment.

  1. An in-depth review of the authorization boundary to ensure all external services, interconnections, and data flows are represented.
  2. Validation of Federal mandates and requirements as well as defining capability information within the readiness assessment report (RAR) template.
  3. A detailed executive summary highlighting notable strengths and weaknesses, control implementations, and maturity of the information system.
  4. Security assessment plan (SAP) that captures how we will perform the assessment and when key milestones will be completed.
  5. Technical interviews to validate control implementations.
  6. Identification of any risks through manual control testing, vulnerability scanning, and penetration testing.
  7. A comprehensive security assessment report (SAR) detailing any risks identified, how they impact the information system, and what remediation activities are needed to reduce risk.
  8. Support throughout the sponsor and PMO package review process to provide clarity on testing activity, remediation activities, and insights on gaps noted by the reviewer

E Com Security Solutions is a global leader in helping organizations ensure they have the right controls in place to protect the sensitive information of their customers and business partners.