ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Certifications / FedRAMP and 3PAO Services

ControlCase is a FedRAMP Third Party Assessment Organization (3PAO). The 3PAO status qualifies ControlCase to assist cloud providers in achieving FedRAMP compliance and verifies that ControlCase has the technical competence required by FedRAMP to assist cloud providers in achieving FedRAMP certification. FedRAMP-authorized cloud providers are then listed on the FedRAMP Marketplace.

 

What is FedRAMP?

The United States Federal Risk and Authorization Management Program, known as FedRAMP, is one of the federal government’s most rigorous security compliance frameworks. It enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.

 

FedRAMP Entities:

1.   Joint Authorization Board (JAB)
JAB is the primary governance and decision-making body for FedRAMP. Its members include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration.

2.   Program Management Office (PMO)
Resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process. PMO also maintains a secure repository of FedRAMP authorizations to enable reuse of security packages.

 

What is FedRAMP Marketplace?

The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO). It serves as a database of Cloud Service Offerings (CSOs) that have achieved a FedRAMP designation and Accredited Auditors (known as 3PAOs) that can perform the FedRAMP assessment.

ControlCase is a FedRAMP Third Party Assessment Organization (3PAO).

 

Who does FedRAMP Apply to?

Any cloud services that hold federal data must be FedRAMP Authorized.

FedRAMP prescribes the security requirements and processes cloud service providers must follow for the government to use their service.

 

How hard is it to get FedRAMP certified? How long does it take to get FedRAMP?

There are two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO).

1. PROVISIONAL AUTHORITY TO OPERATE  (FedRAMP P-ATO)

  • Issued by the Joint Authorization Board.
  • Prioritizes authorizing cloud services that will be widely used across government.
  • CIOs of DoD, DHS and GSA must agree that the CSP meets all controls and presents an acceptable risk posture for use across the federal government.
  • Conveys a baseline level of likely acceptability for government-wide use.
  • CSPs must use an accredited Third-Party Assessor Organization (3PAO).
  • FedRAMP PMO manages continuous monitoring activities.

2. AGENCY AUTHORITY TO OPERATE (FedRAMP ATO)

  • Issued by the agency only.
  • Agencies have varying levels of risk acceptance.
  • Agency monitors the CSPs continuous monitoring activities.
  • Typically use a 3PAO, like ControlCase, to perform independent testing.

 

ControlCase Methodology for FedRAMP Compliance

As a 3PAO, ControlCase will independently verify and validate the control implementation and test results for your organization, the Cloud Service Provider (CSP), using a four phase approach.  Each phase will have a specific set of tasks and deliverables required to guide you, as the CSP, through the FedRAMP Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) process.

The methodology consists of the following phases:

ControlCase FedRAMP Methodology

 

Four Phases of Assessment Process:

Compliance validation is demonstrated and assessed in following four progressive Steps.

1. Readiness Assessment: ControlCase will perform a readiness assessment of your service offering as required for your organization to achieve your “FedRAMP Ready” designation from the FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB).
Activities Included:

  • Perform the readiness assessment activities to include active validation of all information provided by the CSP on its service offering.
  • Deliver a Readiness Assessment Report (RAR) attesting to your Cloud Service Offering’s (CSO) readiness for the authorization process.

 

Deliverable:

Readiness Assessment Report (RAR) – ControlCase will prepare and submit the RAR utilizing the FedRAMP Readiness Assessment Report template. The RAR will be reviewed by the FedRAMP PMO to determine if the Cloud Service Offering (CSO) can be designated as “FedRAMP Ready” and advertised in the FedRAMP Marketplace.
2. Full Security Assessment: ControlCase will complete the full security assessment of the CSP’s Cloud Service Offering (CSO) based upon the System Security Plan (SSP) provided by the CSP.
Activities Included:

  • Develop the detailed Security Assessment Plan (SAP) based on the System Security Plan (SSP) provided at the start of this phase.
  • Conduct a full security assessment of the service offering to include detailed testing of all applicable controls documented in the SSP.
  • Document all results in a Security Assessment Report (SAR) as required by the FedRAMP PMO.
  • The CSP then develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.
  • Work with the CSP to ensure the completed SSP, SAP, SAR and POA&M package meets the FedRAMP PMO requirements prior to entering Phase 3.

 

Deliverable:

Security Assessment Plan (SAP) – ControlCase will prepare and submit the SAP utilizing the FedRAMP Security Assessment Plan template. The SAP will define the processes, procedures, and methodologies used for our testing.

Security Assessment Report (SAR) – ControlCase will prepare and submit the SAR utilizing the FedRAMP Security Assessment Report Template for Annual Assessments. The SAR documents the results of the testing performed.   The SAR will clearly identify what was tested and what was not tested as part of this assessment, especially for any non-applicable controls and inherited controls from leveraged systems, as may be applicable.  The SAR includes the following components:

  • Test procedure workbooks (including detailed observations and evidence, implementation status, findings, and risk exposure information)
  • Vulnerability scan results (infrastructure, web application and database)
  • Penetration testing report.
3. Authorization Process: ControlCase will participate with the JAB, FedRAMP PMO and CSP’s authorization team to review the CSP offering in detail to kick off the authorization process. ControlCase will assist the CSP in responding to any questions or comments from the FedRAMP PMO on the CSP offering package.
Activities Included:

  • Participate in the kick off meeting with the JAB, FedRAMP PMO and CSP.
  • Address any questions and comments from the JAB reviewers in a timely manner.
  • Participate in all regular meetings with the CSP, PMO and JAB Reviewers.
  • Remediate any documentation issues as needed to ensure all JAB Reviewer comments are addressed.
  • Support the CSP as they work to receive a P-ATO decision and formal authorization of their CSO from the FedRAMP PMO.

 

Deliverable:

Edits to the SAP and SAR as required and based on questions or comments from the JAB Reviewer.
4. Continuous Monitoring Annual Security Assessment: Continuous monitoring is a major part of the FedRAMP authorization process and ControlCase will complete the annual security assessment based on the results of the control selection process. Our testing will utilize the FedRAMP Test Cases and the requirements specified in the FedRAMP Continuous Monitoring and Strategy Guide.
Activities Included:

  • Assess a defined subset of the security controls consisting of FedRAMP-selected core controls and CSP-selected controls according to the test cases provided by FedRAMP.
  • Validate the rationale provided by the CSP to exclude core controls that are not applicable or fully inherited by the CSO.
  • Evaluate continuous monitoring controls to verify that ongoing continuous monitoring activities are in place and have been occurring as described in the SSP.
  • Verify that no implementation “gaps” exist for all requirements of a control that is inherited from a leveraged system.
  • Evaluate all open POA&M items related to in-scope controls to ensure consistency with the SAR.
  • Confirm adequate resolution of any POA&M closures and continued applicability of any Deviation Requests.
  • Perform annual scans of web applications, databases, and operating systems. This includes onsite observation or other verification of results if the scans are performed by the CSP.
  • Perform penetration testing on the CSO.
  • Prepare deliverables in a format that cannot be altered.
  • Submit the assessment report to the Information System Security Officer (ISSO) before the CSP’s authorization anniversary date.

 

Deliverable:

Security Assessment Plan (SAP) – ControlCase will prepare and submit the SAP utilizing the FedRAMP Security Assessment Plan Template for Annual Assessments. The SAP will define the processes, procedures, and methodologies used for our testing.

Security Assessment Report (SAR) – ControlCase will prepare and submit the SAR utilizing the FedRAMP Security Assessment Report Template for Annual Assessments. The SAR documents the results of the testing performed.   The SAR will clearly identify what was tested and what was not tested as part of this assessment, especially related to non-applicable controls and inherited controls from leveraged systems as may be applicable.  The SAR includes the following components:

  • Test procedure workbooks (including detailed observations and evidence, implementation status, findings, and risk exposure information).
  • Vulnerability scan results (infrastructure, web application and database).
  • Penetration testing report.

Benefits to our approach include:

ADAPTIBILITY
This approach is adaptable to most ticketing systems.
SIMPLICITY
This approach is repeatable.
TRANSPARENCY
Track progress against only applicable questions.
TRACKABILITY
Stay organized with assessor comments and date stamps.

Advisory Services

Application Security Training

Helps promoting developer education on the importance of integrating security into the software....
Read More

Data Discovery

Our easy-to-use enterprise data discovery solution provides scanning capabilities to search your....
Read More

Application Source Code Reviews

The objective of the ControlCase code review exercise is to quantify the level of security exposure....
Read More

Penetration Testing

ControlCase offers application and network level penetration testing performed through the best....
Read More

Integrated compliance

The SkyCAM solution out of the box provides control mapping with other standard and regulation.....
Read More

Maintain ongoing Secure Software and Secure SLC compliance

PCI DSS compliance is not a onetime effort, but a continuous process that requires ongoing....
Read More

Need more information?

Contact Us