Recently, FedRAMP announced that, per stakeholder feedback, the federal market’s needs for cloud SaaS products are not being met. A significant part of this is the program’s bottleneck. To address this issue, the Office of Management and Budget (OMB) has released a draft memo offering significant program changes, including updates to infrastructure, leadership, and authorization. … Read More
FedRAMP and Penetration Testing Guidance Updates in 2024
Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements. The new guidance addresses new attack vectors targeting subsystems in IT infrastructure. Here, we’ll cover his newest… Read More
What Are the Ivanti Vulnerabilities, and How Do They Impact You?
An emergency vulnerability has emerged in Ivanti products and appliances, and it has sent many service providers, especially those in the federal space, in a rush to close their gaps and respond as best they can. This article covers the incident, the government’s response, and what it means for service providers.
Endpoint Security and Modern Compliance
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More
StateRAMP, System Security Plans, and the Operational Control Matrix
StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities. In Revision 5,… Read More
What Are Core Documents for StateRAMP Authorization?
StateRAMP, much like FedRAMP, includes a series of documents that the cloud provider and their 3PAO must complete before they are fully authorized. These documents align with several stages of the assessment process and provide regulating authorities with the proof they need to see that the cloud offering meets requirements. Here, we summarize the documents… Read More
What Is the Open Security Controls Assessment Language (OSCAL)?
There’s recently been a push within FedRAMP towards modernizing the framework to meet modern security challenges and better align federal security standards across agencies and technologies. Part of this push is standardizing how security controls are measured and assessed, and the most recent blog from FedRAMP mentions a new standard–OSCAL. Here, we will discuss OSCAL,… Read More
Revising FedRAMP Continuous Monitoring with the New OMB Memo
The draft memo released by the OMB signals many potential changes for the FedRAMP program, especially for the continuous monitoring process. Continuous monitoring is a crucial part of FedRAMP that ensures that CSPs maintain compliance. However, this process can also prove complicated and costly for cloud providers, especially small or unique companies offering innovative solutions.… Read More
Compliance Automation in the New FedRAMP Memo Draft
The latest FedRAMP draft memo from the OMB shakes up quite a bit about the program. While nothing is set in stone, much ink is spilled on what it will mean for the program and participating cloud service providers. In this article, we will discuss what this new memo says about automation–specifically, how the program… Read More
Authorization Paths in the New FedRAMP OMB Memorandum
In the ever-expanding cosmos of cloud computing, the Federal Risk and Authorization Management Program (FedRAMP) is the primary standard for cloud service providers working with federal agencies. Recognizing this, the Office of Management and Budget (OMB) has released a draft memorandum to revitalize FedRAMP, signaling a pivotal transformation to enhance the program’s efficiency, agility, and… Read More
FedRAMP and Evolving Requirements for MSPs and SaaS Providers
The FedRAMP OMB has recently released a memorandum on modernizing the standard to address new realities in digital technology. This shift reflects the increasing reliance on Software-as-a-Service (SaaS) and the strategic roles of Managed Service Providers (MSPs) in the federal, as well as the impact of new technologies like artificial intelligence. This article aims to… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
How to Determine Cybersecurity Impact Level Using FIPS 199
The Federal Information Processing Standard (FIPS) 199 provides organizations and individuals with the necessary guidance to determine a cybersecurity threat’s impact level accurately. These impact levels define the level of security a system should have to protect the data contained therein adequately. This article will take you through an overview of FIPS 199 and how… Read More
What Are the Evaluation Criteria for JAB Prioritization?
The Federal Risk and Authorization Management Program (FedRAMP) plays a pivotal role in safeguarding the security of cloud services within the U.S. federal government. An essential element of this program is the Joint Authorization Board (JAB), which is responsible for prioritizing and authorizing cloud offerings offered by cloud providers. The JAB prioritization process is a… Read More
The Impact of Executive Order 14028 on FedRAMP
Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains. To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust… Read More
What is an Authorization Boundary for FedRAMP and StateRAMP?
Assessments for both StateRAMP and FedRAMP rely on the 3PAO’s understanding of the systems and people that will interact with a specific government agency. With this knowledge, it’s easier to determine where particular requirements begin and where they end. Across both of these frameworks, this concept is known as the “authorization boundary.” The authorization boundary… Read More
The New FedRAMP Marketplace
On February 20th, the FedRAMP PMO announced the release of the newest design for the FedRAMP Marketplace. While this news doesn’t necessarily shake the foundations of government compliance, the Marketplace it is an essential resource for agencies looking for a trustworthy source of information regarding cloud providers. In this article, we’ll break down what kind… Read More
What Is Binding Operational Directive 23-02, and Does it Impact FedRAMP?
From time to time, new directives and requirements come up in the federal space that has ripple effects throughout the cybersecurity landscape. Recently, FedRAMP raised a note that a new Binding Operational Directive has shifted some requirements for agencies and contractors. While this doesn’t seem to directly impact the program, it is significant enough for… Read More
FedRAMP and DoD Impact Levels
As the Department of Defense (DoD) increasingly leverages cloud services, the need to classify and secure sensitive data has never been more important. To address that need, the DoD’s Cloud Computing Security Requirements Guide (SRG) provides a comprehensive framework for this, establishing different Impact Levels to classify the appropriateness of a system to handle specific… Read More
FedRAMP High Impact Level and Unique NIST Controls
In the era of digitization, the security of cloud services, particularly those engaged with federal agencies, is paramount. The government uses the Federal Risk and Authorization Management Program (FedRAMP)–to ensure cloud services meet stringent security standards to protect federal data. This article will dig into the intricacies of the FedRAMP High Impact Level and its… Read More
What Information Is Included in a FedRAMP System Assessment Report (SAR)?
The Federal Risk and Authorization Management Program (FedRAMP) is a security assessment and authorization program for cloud services used by the federal government. It is designed to ensure that cloud services meet the federal government’s security requirements, and that sensitive government data remains protected. A critical component of the FedRAMP security authorization process is the… Read More
StateRAMP and Incident Response: What You Need to Know
In the unfortunate event that a breach occurs, organizations must have a plan in place to respond and recover. StateRAMP borrows requirements from FedRAMP and NIST 800-53 to define how exactly state and local governments can implement incident response into their overall security infrastructure.
StateRAMP and Personnel Security
As the old saying goes, the weakest link in any security system is the user. This isn’t an insult but rather a commentary on the impossibility of eliminating every vulnerability in a system that humans have to use daily. In terms of actually mitigating direct security threats associated with users, however, there can be no… Read More
What Is StateRAMP Fast Track?
Much hay has been made about how cloud providers can take advantage of the new StateRAMP program. Only a few years into operations, there are already questions about how governments and cloud providers can leverage the requirements to bring top-tier cybersecurity to a local level. One of these questions involves the adoption of StateRAMP standards… Read More