Quick Guide to the FedRAMP Readiness Process August 2014 Presented by:
7 Slides3.43 MB
Quick Guide to the FedRAMP Readiness Process August 2014 Presented by: FedRAMP PMO www.fedramp.gov www.fedramp.gov PAGE 1
What is the readiness process? The FedRAMP readiness process is used to determine a CSP’s eligibility for the Joint Authorization Board (JAB) Process Provisional Authorization process. To be eligible the CSP must: – Have an understanding of the FISMA and FedRAMP requirements and process – Be able to commit the resources needed to complete a FedRAMP assessment – Have the ability to implement the FedRAMP control baseline – Meet FedRAMP requirements for level of detail in documenting the control implementation www.fedramp.gov PAGE 2
Readiness Process Roles CSP – Provide information about the cloud system, documentation and make updates in response to comments from FedRAMP – Learn about the FedRAMP process FedRAMP Readiness and Development Team – Review incoming applications and initiates contact with CSPs – Coordinate the readiness process – Perform a completeness check and reviews the CSP’s initial documentation – Provide comments and feedback on documentation to the CSP – Recommend to Director or Project Manager of whether to kick-off the full FedRAMP assessment FedRAMP Director / FedRAMP Manager – Make final decision of whether the CSP starts the full FedRAMP assessment www.fedramp.gov PAGE 3
Readiness Process Overview The process is composed of three steps: CSP Interview Documents Review www.fedramp.gov Kick-Off Decision PAGE 4
CSP Interview Process Schedule CSP Interview After receiving the CSP’s FedRAMP application, the FedRAMP Readiness and Development Team schedules an initial interview to: Answer questions and provide information about the FedRAMP JAB P-ATO process Learn about the system that the CSP is offering Gauge the CSP’s current knowledge of FedRAMP Determine the resources that the CSP is able to dedicate to a FedRAMP assessment Send Invite to Documentation Training The FedRAMP Readiness and Development Team offers training on completing FedRAMP documentation. An invite is sent to the CSP for the (optional) training following the interview. This training allows CSPs to receive an overview of the required FedRAMP templates and training on the level of detail required by the FedRAMP process. www.fedramp.gov Interview Feedback The FedRAMP Readiness and Development Team provides feedback to the CSP based on the CSP interview. If the Readiness and Development Team determines that the CSP has taken the steps needed to start the FedRAMP process, the team request an initial copy of the CSP’s documentation. If the Readiness and Development Team determines that the CSP is not ready at this point, a team representative provides feedback on what the CSP needs to do to get ready for the process. PAGE 5
Initial SSP Review Request Initial Documents Initial Documents Review If the CSP is ready to move forward, the FedRAMP Readiness and Development Team requests a current copy of the CSP’s: System Security Plan (SSP) Configuration Management Plan Contingency Plan Incident Response Plan CSP’s Security Policies and Procedures as required by the SSP The FedRAMP Readiness and Development Team performs a completeness check on the initial documents and ensures that the right level of detail is present. The Readiness and Development Team sets up a CSP account in the OMB MAX secure repository and provides upload instructions for submitting the documents for review. If the Readiness and Development Team determines that the CSP’s documentation is not ready at this point, a team representative will provide feedback on what the CSP needs to update in the documents. ISSO Review and Briefing The FedRAMP ISSOs performs an in-depth review of the initial documents and brief the FedRAMP Director and Manager on the status of the CSP’s documentation. If the documents meet the FedRAMP requirements, the team holds a briefing with the FedRAMP ISSOs, and provide the documents for a detailed review. www.fedramp.gov PAGE 6
Kick-Off Decision Kick-Off Decision At the conclusion of the ISSO briefing with the FedRAMP Director and Manager, the team either recommends moving forward to formally kicking off the full FedRAMP P-ATO assessment or requiring the CSP to make additional revisions before moving forward. If the team determines that the CSP’s documentation is not ready at this point, a Readiness and Development Team representative provides additional feedback on what the CSP will need to update in the documents. Setting Up the Kick-Off Meeting If the FedRAMP Manager and Director accept the recommendation to move forward with the Kick-Off, the Readiness and Development Team schedules the kick-off meeting with the CSP. The Readiness and Development Team provides a briefing template to the CSP in preparation for the Kick-Off Meeting. www.fedramp.gov Hold Kick-Off Meeting At the Kick-Off Meeting the CSP briefs its system using the template provided by the Readiness and Development Team. The assigned ISSO provides the CSP with detailed comments on the first 12 sections of the SSP. PAGE 7