The Inner Circle

 View Only
  • 1.  FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide

    Posted Jan 15, 2022 01:42:00 AM
    Hi All,

    FedRAMP just released:
    • FedRAMP Moderate Readiness Assessment Report (RAR) Template
    • FedRAMP High Readiness Assessment Report (RAR) Template
    • 3PAO Readiness Assessment Report Guide
    FedRAMP Moderate Readiness Assessment Report (RAR) Template
    The FedRAMP Moderate RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP's system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.

    FedRAMP High Readiness Assessment Report (RAR) Template
    The FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP's system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.

    3PAO Readiness Assessment Report Guide
    This document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR's intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide

    This message was posted by a user wishing to remain anonymous
    Posted Jan 26, 2022 08:34:00 AM
    This message was posted by a user wishing to remain anonymous

    The FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP's system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.


  • 3.  RE: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide

    Posted Jan 27, 2022 07:21:00 AM
    Not sure if you need any input and solutions that will help compliance and certification in regards to FedRAMP, CMMC 2.0, CISA etc. 

    If so ... feel free to reach out to [email protected] - and lets take a look at the use-case.

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------



  • 4.  RE: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide

    Posted Jan 28, 2022 07:29:00 AM
    Edited by Robert Ficcaglia Jan 28, 2022 07:31:28 AM

    While I appreciate vendors have to eat, I'm not sure what the policy is on explicit adverts?

    that said, let's discuss at face value the topic as practioners…FedRAMP, CMMC, CSA are very different beasts. Sure there are common attributes and design forces, but that's about where the utility of combining these in a pitch ends. any sort of one-size-fits-all approach is likely to come up very short, especially in regards to the updated materials Michael posted and the GSA comments on the recent FedRAMP survey.

    agencies invest a LOT in sponsoring a F/R or even reusing one (thus the Agency Liaison program) so adequately preparing not only the technical controls but the people and process controls is extremely important to success. Ignore these at your great peril.

    if the community has interest in open source (e.g. OSCAL), vendor/commercial, and DIY/in-house approaches to the updated guidance, And in particular how it relates to CSA controls and programs, I would be happy to host a discussion either under the appropriate CSA forum, or in the CNCF security TAG call (CSA and CNCF are working on more collaboration efforts).  +1 here or slack me on CNCF

    EDIT: and would wholeheartedly invite vendors and consultants to join and share their advice and experiences to the benefit of all!

    Robert Ficcaglia
    Co-Chair Kubernetes Policy WG
    Kubernetes SIG Security
    CNCF Security TAG, Lead Assessor



    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 5.  RE: FedRAMP issues Moderate and High Readiness Report Templates and Readiness Assessment Report Guide

    Posted Jan 28, 2022 07:59:00 AM
    Hmm ... can't really follow the rationale in 'vendors have to eat'. We only help them who needs help and appreciate help. Just saying, we help defense and suppliers to obtain CMMC/FedRAMP compliance a lot faster, cheaper and easier.

    We can get you to a CMMC L2 SPRS points earned of 80-92% - and none of the organisations we help has responded with a "vendors have to eat". 

    Sorry for taking up your time - just trying to help.

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------