Last Updated on January 13, 2024
The “home stretch” on any journey to a Federal Risk and Authorization Management Program Authority to Operate (FedRAMP ATO) is the runup to your assessment with your Third-party Assessment Organization (3PAO). Preparations include completing your System Security Plan (SSP) and roughly 25 other documents that comprise the ATO submission package for your sponsoring agency. But where the rubber really meets the road is the run-up to the audit itself.
Mike Craig, CEO at Vanaheim Security, describes what the 3PAO audit preparation process looks like.
Building your FedRAMP System Security Plan
If you’re heading towards a FedRAMP authorization, one of the key deliverables is your System Security Plan. This is likely to be a hefty document, averaging 500-600 pages in a highly templatized format with a lot of detail.
“If you already have your processes and architecture built to the controls, and you know exactly what you’re doing, then the documentation goes much faster,” Mike notes. “There’s not a lot of changes and back-and-forth, which speeds up the process tremendously.”
So, no surprise, proper planning and preparation lay the groundwork for efficient implementation of controls and processes.
The 3PAO assessment
The final step before being awarded a FedRAMP ATO is the third-party assessment with your 3PAO. This includes penetration testing, a documentation review, and testing your controls to make sure your process and technology are meeting them.
“The assessment preparation phase is really to prepare you for that moment,” says Mike. “You want to do well on it because you spent a significant amount of time and resources to get up to this point.”
Another function of the assessment preparation phase is to jumpstart organizational learning about operating your FedRAMP environment.
“I call it building ‘muscle memory’ around what evidence they’ll be looking for, how they’re going to interview you, and how the overall audit process is going to go,” Mike relates. “That helps prepare all of your teams, identifies who that’s going to be, and organizing the large interview process that comes with these assessments.”
What’s next?
For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.