What Is the Authorization Boundary in FedRAMP?

When it comes to managing FedRAMP-compliant systems, it helps to understand the entirety of the system that will fall under this jurisdiction. Unfortunately, with the complexity of cloud systems being what they are, mapping out IT systems with the right granularity can provide a challenge. This is why FedRAMP guides determining an organization’s authorization boundary.

What Is FedRAMP JAB Provisional Authorization?

Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across… Read More

Cloud Architecture and FedRAMP Authorization Boundaries

Cloud computing and modern service models of software or infrastructure distribution present a problem to providers and customers alike–namely, how to properly assess and certify components in a way that considers the relationship between different modules, platforms, and apps. FedRAMP requirements define how assessors and Authorization approach different cloud offering service models to mitigate the… Read More

What Is the FedRAMP Agency Authorization Process?

As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters… Read More

What Is the StateRAMP Security Assessment Framework?

StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with.  In this article, we’ll talk about the basics of… Read More

What Documents Are Required for FedRAMP Authorization?

The federal government leans more heavily on technology providers, including cloud computing platforms that support data storage, processing, and office application solutions. Accordingly, the question of data security is live, and the government’s response is to implement the FedRAMP authorization requirement.  Like many other government programs, FedRAMP can threaten to bury the under prepared provider… Read More

FedRAMP and CISA: What Is Binding Operational Directive 22-01

Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild.  The CVE program recently joined… Read More

Is CMMC Compatible with FedRAMP Certification?

Any IT or cloud provider working with the government needs to show that they are secured against data breach or theft. As the SolarWinds hack has demonstrated, our interconnected technology systems are under attack from outside entities who want to gain access to critical civil, military, and industrial data and undermine our security. That’s why… Read More

Core StateRAMP Reports for Provider Certification

StateRAMP, like any other compliance framework, includes several reports to document a provider’s progress through certification for the Program Management Office (PMO). As of February 2021, however, the PMO is still spinning up its resources and and StateRAMP reports templates. As such, many required report templates are slated for availability on the StateRAMP website but… Read More

SolarWinds and SUNBURST: The Technical Risks of State-Sponsored Terrorism

The news cycle for anyone connected with cybersecurity has been dominated by information regarding the SolarWinds hack. This breach, starting with a single cloud and security provider, has now become a national emergency as more and more private institutions have become infected with potentially dangerous results. As this situation unfolds, we wanted to touch base… Read More

7 Ways a Managed Service Provider Can Protect Their Clients 

Managed service providers carry a few additional burdens that many traditional IT companies don’t. Because the products and services of a managed service provider are used by different businesses, often in different industries, there is a balancing act between managing their own security needs and the needs of their clients. Different responsibilities, requirements, and approaches… Read More

How does FedRAMP help Cloud Service Providers?

FedRAMP is one of the most popular topics on our website and blogs. One big question we often receive from Cloud Service Providers (CSP), is how can a FedRAMP authorization impact their business. Cloud Service Providers and FedRAMP FedRAMP is a program that enables cloud services providers (CSPs) to meet and demonstrate the security requirements… Read More

What DoD Contractors Need to Know About the CMMC

The DoD unveiled its proposed Cybersecurity Maturity Model Certification (CMMC) to prevent supply chain attacks Cyberattacks on the U.S. government’s vast network of contractors and subcontractors pose a serious threat to national security, and the DoD is taking action. The agency tasked NIST with developing a set of guidelines addressing advanced persistent threats against contractors… Read More

How Are IT Compliance and Cyber Security Different?

IT Compliance and Cyber Security: Understanding the Differences IT compliance and cyber security are often used interchangeably, even within the cyber security and compliance fields. This is the basis for the completely incorrect and dangerous notion that achieving compliance automatically equals being secure. While there is some overlap, and the two fields complement each other,… Read More

Which FedRAMP Security Impact Level Is Right for You?

Understanding FedRAMP security impact levels and baselines You would never pay $1,000 upfront and $30/month for a security system to protect a shed containing $100 worth of lawn equipment. However, you wouldn’t hesitate to spend that much or more to protect your home and family. The same concept applies in information security. Different kinds of… Read More

The FedRAMP Assessment Process: Tips for Writing a FedRAMP SSP

Advice for writing a successful FedRAMP SSP A FedRAMP SSP (System Security Plan) is the bedrock of a FedRAMP assessment and the primary document of the security package in which a cloud service provider (CSP) details their system architecture, data flows and authorization boundaries, and all security controls and their implementation. Keep in mind that… Read More

Why Cloud Service Providers Should Consider FedRAMP Certification

FedRAMP Certification Can Help Grow Your Cloud Service Business The Federal Risk and Authorization Management Program (FedRAMP) was designed to support the federal government’s “cloud-first” initiative by making it easier for federal agencies to contract with cloud providers. Like FISMA, DFARS, CJIS, and HIPAA, FedRAMP’s security controls are based on NIST 800-53. If your cloud… Read More

Third-Party Breaches: How Secure are Your Vendors?

Verizon, Trump Hotels, and the RNC are Among the Recent Victims of Third-Party Breaches Even if your own cyber security is up to snuff, your organization could be at risk of third-party breaches if your business partners are not as diligent as you are. Verizon just learned this lesson the hard way after one of… Read More

Why Excel is so Old-School and how to be Cool-School

We get it. We completely understand why you still use Excel as an assessment and audit tool. We suffered through it just the same but we believe that working smarter and not harder which is why we invented ITAM IT audit software. The IT Audit Machine (ITAM IT audit software) is the patent pending, industry… Read More

Survival Guidance! FedRAMP and FISMA Resource for Assessing the Security Controls in Federal Information Systems and Organizations

Survival Guidance! MichaelPeters.org and LazarusAlliance.com is making our auditor’s resource for assessing the security controls in federal information systems and organizations free. This is a resource based on the NIST 800-53A framework you may freely use to conduct your organization’s FedRAMP, HIPAA or best practice based security audits. Your results are private and the output… Read More