Hmm ... can't really follow the rationale in 'vendors have to eat'. We only help them who needs help and appreciate help. Just saying, we help defense and suppliers to obtain CMMC/FedRAMP compliance a lot faster, cheaper and easier.
We can get you to a CMMC L2 SPRS points earned of 80-92% - and none of the organisations we help has responded with a "vendors have to eat".
Sorry for taking up your time - just trying to help.
------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------
Original Message:
Sent: Jan 28, 2022 07:28:59 AM
From: Robert Ficcaglia
Subject: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide
While I appreciate vendors have to eat, I'm not sure what the policy is on explicit adverts?
that said, let's discuss at face value the topic as practioners…FedRAMP, CMMC, CSA are very different beasts. Sure there are common attributes and design forces, but that's about where the utility of combining these in a pitch ends. any sort of one-size-fits-all approach is likely to come up very short, especially in regards to the updated materials Michael posted and the GSA comments on the recent FedRAMP survey.
agencies invest a LOT in sponsoring a F/R or even reusing one (thus the Agency Liaison program) so adequately preparing not only the technical controls but the people and process controls is extremely important to success. Ignore these at your great peril.
if the community has interest in open source (e.g. OSCAL), vendor/commercial, and DIY/in-house approaches to the updated guidance, And in particular how it relates to CSA controls and programs, I would be happy to host a discussion either under the appropriate CSA forum, or in the CNCF security TAG call (CSA and CNCF are working on more collaboration efforts). +1 here or slack me on CNCF
EDIT: and would wholeheartedly invite vendors and consultants to join and share their advice and experiences to the benefit of all!
Robert Ficcaglia
Co-Chair Kubernetes Policy WG
Kubernetes SIG Security
CNCF Security TAG, Lead Assessor
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
Original Message:
Sent: Jan 27, 2022 07:20:34 AM
From: Niels E. Anqvist
Subject: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide
Not sure if you need any input and solutions that will help compliance and certification in regards to FedRAMP, CMMC 2.0, CISA etc.
If so ... feel free to reach out to [email protected] - and lets take a look at the use-case.
------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
Original Message:
Sent: Jan 26, 2022 04:09:41 AM
From: Anonymous Member
Subject: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide
This message was posted by a user wishing to remain anonymous
The FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP's system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.
Original Message:
Sent: Jan 15, 2022 01:42:05 AM
From: Michael Roza
Subject: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide
Hi All,
FedRAMP just released:
- FedRAMP Moderate Readiness Assessment Report (RAR) Template
- FedRAMP High Readiness Assessment Report (RAR) Template
- 3PAO Readiness Assessment Report Guide
FedRAMP Moderate Readiness Assessment Report (RAR) Template
The FedRAMP Moderate RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP's system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.
FedRAMP High Readiness Assessment Report (RAR) Template
The FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP's system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.
3PAO Readiness Assessment Report Guide
This document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR's intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR.
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------