Preparation¶

Readiness Assessment¶

The FedRAMP Readiness Assessment is optional but is highly recommended for CSPs pursuing a FedRAMP authorization with a federal agency partner. CSOs categorized at the Moderate or High impact levels can pursue a FedRAMP Ready designation.

FedRAMP Ready indicates that a CSP has utilized the services of a FedRAMP recognized 3PAO to conduct a FedRAMP Readiness Assessment, and the 3PAO has determined that the CSP is fully ready to pursue (and likely to achieve) a FedRAMP authorization for the CSO. The results of a FedRAMP Readiness Assessment are documented in a FedRAMP provided Readiness Assessment Report (RAR) template. The RAR is submitted to FedRAMP for review and approval. Once approved, the CSO achieves a FedRAMP Ready designation on the FedRAMP Marketplace, and the RAR is made available to federal agencies via the FedRAMP secure repository.

To understand the scope of a FedRAMP Readiness Assessment, federal agencies can review the FedRAMP Moderate RAR Template or the FedRAMP High RAR Template. At a high level, the FedRAMP Readiness Assessment is primarily focused on the status of technical capabilities versus the status of documentation. While some CSPs may have a fully developed system security plan (SSP) at the time of the assessment, a completed SSP is not required. During the FedRAMP Readiness Assessment, 3PAOs validate the CSP's ability to meet specific federal mandates, the CSP's ability to satisfy technical security requirements, and the CSP's maturity in areas such as change management and ConMon.

Federal agencies should consider partnering with a CSO that has achieved the FedRAMP Ready designation if the CSO meets the federal agency's mission needs. FedRAMP Ready indicates that the CSP has done most of the heavy lifting and just needs a federal agency to partner with them to pursue an initial FedRAMP authorization.

Pre-Authorization¶

During the Pre-Authorization phase, the federal agency and CSP agree to partner on a FedRAMP authorization. The federal agency and CSP then work together to prepare for and develop a plan for the agency authorization and hold a formal kickoff meeting.

Partnership Establishment¶

During the Partnership Establishment phase, the federal agency agrees to partner with a CSP to pursue an initial FedRAMP authorization. If you are thinking about partnering with a CSP, consider the following steps, and, if needed, schedule a call with your FedRAMP Agency Liaison to talk through the process:

• Clearly define your federal agency's mission needs and specific requirements for a CSO and begin researching possible providers.

• Understand the sensitivity of the data that will be used with the CSO. To categorize your data, review the NIST Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems.

• Review the FedRAMP Marketplace to see if there is a CSO that meets your mission needs and is able to provide the right level of security given the data.

• If you find a CSO that meets your mission needs, but is not on the FedRAMP Marketplace, meet with the associated CSP to determine the organization's willingness and commitment to pursue a FedRAMP authorization. If the CSP would like to learn more about the FedRAMP process, direct them to the FedRAMP CSP Authorization Playbook. If the CSP has not already done so, instruct the CSP to complete FedRAMP's CSP Information Form. Completing the form will generate a unique FedRAMP ID for the system that will stay with the offering for the lifecycle of their FedRAMP journey.

Consider the following when determining the CSP's readiness for pursuing a FedRAMP authorization:

• Fully built and functional system

• Mature organizational and security processes

  • Committed CSP leadership team

  • Proven maturity (CMMI Level 3+, ISO organizational certifications)

  • Other certifications (CMMC, SOC2, ISO27001, PCI, etc.)

Authorization Planning¶

The purpose of the Planning phase is to set up the authorization for success. The authorization planning process is a collaborative effort between the federal agency and CSP. During the Planning phase, stakeholders will:

Establish a collaborative and transparent working relationship. This includes:

• Identifying CSP and federal agency project leads/primary points of contact.

• Deciding how CSP and federal agency teams will communicate and collaborate. FedRAMP recommends establishing a recurring meeting (at least bi-weekly) to ensure the project stays on track and that everyone remains accountable for their respective areas of responsibility.

• Identify federal agency team members assigned to review the authorization package. Federal agency reviewers should have knowledge of the NIST Risk Management Framework and experience reviewing FISMA and/or FedRAMP authorization packages.

• Determine how the CSP and 3PAO will share authorization package deliverables with the federal agency.

• Develop a method for capturing and tracking agency reviewer comments/questions.

• Determine the federal agency's internal process for reaching an authorization decision and granting an ATO.

• Determine the federal agency's approach for reviewing the authorization package as described below:

  1. Just-In-Time Linear Approach: Each FedRAMP deliverable builds upon another, starting with the SSP. The SSP and appendices, security assessment plan (SAP), and security assessment report (SAR) are completed in a linear fashion, obtaining feedback from the federal agency once each deliverable is produced. In turn, modifications are made to each deliverable, based on the federal agency's review. Once the deliverable is finalized and accepted by the federal agency, work begins on the next deliverable.
  2. All Deliverables Provided Simultaneously: All FedRAMP deliverables (i.e., SSP/appendices, SAP, SAR, and Plan of Action and Milestones (POA&M)) are completed and submitted to the federal agency at once. The federal agency reviews all deliverables together and works collaboratively with the CSP and 3PAO.

Work Breakdown Structure and In Process Request¶

As your federal agency finalizes the Authorization Planning phase, complete the following actions:
Complete a Work Breakdown Structure (WBS) and submit a FedRAMP In-Process Request to FedRAMP via intake@fedramp.gov. The completion of this form indicates to FedRAMP that your federal agency is ready to begin coordinating a kickoff meeting with the CSP and 3PAO (optional and recommended). It also indicates that you have reviewed and approved the WBS, and 3PAO testing is scheduled within six (6) months. Instruct your CSP to begin working on the kickoff meeting presentation. Kickoff Requirements can be found on the FedRAMP website.

Kickoff Meeting¶

The purpose of the kickoff meeting is to formally begin the FedRAMP agency authorization process by introducing key team members, reviewing the CSO, and ensuring all stakeholders are aligned on the overall process. Review FedRAMP's Kickoff Briefing guidance to understand the full scope of a FedRAMP facilitated kickoff meeting.
At the conclusion of the kickoff meeting, all stakeholders will have a shared understanding of:

• The overall authorization process, milestones, deliverables, roles and responsibilities, and schedule.

• The roles and responsibilities of all project team members, including federal agency, CSP, and 3PAO personnel.

• The CSO's purpose and function, authorization boundary, data flows, known security gaps and plans for remediation, federal agency-specific requirements, customer responsible controls, and areas that may require federal agency risk acceptance.

• The federal agency's process for reviewing the authorization package and reaching a risk-based authorization decision.

• Best practices and tips for success.

Kickoff: CSP Roles and Responsibilities¶

• Prior to the kickoff meeting: Develop a kickoff meeting presentation that aligns with the guidance provided by FedRAMP. Participate in planning meeting(s) with the federal agency to: Understand the federal agency's process for performing a quality and risk review of the authorization package. Communicate customer-responsible controls. Decide how the CSP and federal agency teams will communicate and collaborate throughout the process.

• During the kickoff meeting: Ensure the right team members attend the kickoff meeting. While the CSP's leadership/sales team is welcome to attend, it is important to include team members that can describe the security capabilities of the CSO and answer a variety of technical/security questions. Deliver kickoff meeting presentation that aligns with guidance provided by FedRAMP. |

Kickoff: Agency Roles and Responsibilities¶

• Prior to the kickoff meeting: Participate in planning meeting(s) with the CSP to: Communicate the federal agency's process for performing a quality and risk review of the authorization package. Understand customer-responsible controls that must be implemented and tested by the federal agency. Decide how the CSP and federal agency teams will communicate and collaborate throughout the process.

• Ensure the right team members attend the kickoff meeting: While the federal agency business owner is welcome to attend, it is important to include the federal agency team members that will be responsible for reviewing the authorization package and making authorization decisions.

• During the kickoff meeting: Raise questions if anything is unclear. Federal agency team members should walk away from the kickoff meeting with a clear understanding of the authorization boundary, how federal data/metadata is protected as it flows through the CSO, customer-responsible controls, and any security gaps or areas that may require risk acceptance. Describe the federal agency's process for performing a quality and risk review of the authorization package. Describe the federal agency's process for reaching an authorization decision and issuing an ATO letter.