(267) 824-2500

Headquarters in the Greater Philadelphia Area

FISMA / FEDRAMP

FISMA/FEDRAMP

Cloud service providers (CSPs) who are seeking to obtain a FedRAMP Authority to Operate (ATO) face a technically rigorous and higher scrutiny assessment process than most organizations are used to experiencing – even more so than the one to meet FISMA requirements. FedRAMP is often referred to as a “high-bar” for security in the cloud.

Impact System Level

Low -

Moderate -

High -

FISMA Assessment based on NIST 800-53 Rev 4

124

261

343

FedRAMP Assessment

125

325

421

A FedRAMP assessment is more rigorous than a FISMA assessment as illustrated by the additional control and control enhancements that must be implemented and tested.

How Interactive Security Can Help

Interactive Security is the leading FedRAMP-accredited Third-Party Assessment Organization (3PAO), having completed more than 70 assessments resulting in JAB Provisional or agency authorizations for our cloud service provider (CSP) clients.

The FedRAMP assessment includes:

  • Tailored controls assessment against NIST SP 800-53 Revision 4 (scope dependent on system impact level)
  • Vulnerability scanning (of all operating systems, network devices, databases and web applications)
  • Penetration testing
  • Source code review

Each of these are documented in the Security Assessment Report (SAR), which is provided to the FedRAMP JAB or sponsoring agency to plan regarding issuance of an Authority to Operate (ATO).

CSPs that serve or want to serve DoD clients must meet the Department of Defense Cloud Security Requirements Guide (DoD SRG) for the designated Impact Level. This is an additional service that can be done in parallel with a FedRAMP assessment for a moderate impact level system or higher.

Why Choose Interactive Security for your FedRAMP Assessment

  • Interactive Security is an accredited third-party assessment organization (3PAO). All 3PAOs are accredited by the American Association for Laboratory Accreditation (A2LA) to conduct assessments of CSPs who are required to meet the security requirements outlined by the FedRAMP program to provide secure cloud services to government agencies.
  • We know the process and best practices as we understand FedRAMP requirements and JAB interpretation of controls
  • Our team is highly experienced in NIST 800-53 and DoD requirements, and how they relate to commercial cloud environments.
  • Interactive Security has been providing assessment services since 2001.

FedRAMP Consulting Advisory Services

Navigate FedRAMP security compliance design and documentation requirements

Interactive Security’s independent team of advisors can help your organization prepare your cloud service for FedRAMP assessment and authorization. Our advisors are FedRAMP specialists who can lead organizations in their preparation effort and can assist with compliance gap analysis, advisory, and assessment while addressing risk and aligning your cybersecurity strategies with business goals.

Our customized FedRAMP advisory services, include:

  • Business case analysis to help determine the cost/benefit justification of achieving FedRAMP certification of your solution.
  • Security control implementation analysis, review and remediation.
  • Roadmap for FedRAMP accreditation.
  • Technical architecture and design reviews.
  • System documentation development.
  • Complete security authorization package development.

FedRAMP Compliance Review

Our experienced FedRAMP Advisory team conducts several days of analysis and review, then advises project stakeholders about key steps in the process. Our review process includes:

  • Providing overview of the FedRAMP processes and authorization paths
  • Boundary scoping to ensure all components and interconnections have been identified
  • Analysis and review of security control implementations
  • Recommendations for all requirements not met
  • Review of existing system documentation
  • Focused review of controls required for FedRAMP Readiness Assessment
  • Determination of reuse of corporate/system-specific policies and procedures
  • A review of vulnerability scanning program/tools and recommendations
  • Establishment of a roadmap for FedRAMP authorization
  • Tips for achieving FedRAMP Ready and submitting a winning JAB Business Case

Full Advisory Support

We map each advisory service to a specific step of the FedRAMP process, so you can choose the level of support you need. Working closely with your team, Interactive Security’s advisors will help you design and develop security controls that meet FedRAMP requirements. Activities include:

  • Complete required FedRAMP documentation:
    • System security plan (SSP)
    • Information security policies
    • Contingency plan
    • Incident response plan
    • Configuration management plan
    • Continuous monitoring plan
    • Privacy threshold analysis and privacy impact assessment (if necessary)
    • E-authentication workbook
    • Rules of behavior
    • System description and network architecture development and guidance
    • FIPS 199 Security Categorization
    • Control implementation summary
  • Add-on Advisory services:
    • Vulnerability scanning
    • Penetration testing
    • Security hardening and engineering
    • Security monitoring program development, optimization and engineering services
    • 3PAO Audit Support
    • Continuous monitoring program development

Why Choose Interactive Security to be your FedRAMP Advisor

As the leading FedRAMP 3PAO in the industry, we provide FedRAMP advisory and assessment services for cloud service providers (IaaS / PaaS / SaaS). View our FedRAMP authorized clients on FedRAMP.gov.

You’ll benefit from our unparalleled FedRAMP leadership and experience advising and assessing the largest CSPs in the world. We can help transform the way government and commercial organizations work as they migrate IT services to the cloud. As one of the longest tenured 3PAOs, Interactive Security has helped more systems attain an ATO than any other 3PAO in the industry.

  • Interactive Security is a leading FedRAMP 3PAO having completed more than 70 Assessments for cloud service providers that have received FedRAMP ATO.
  • We know the process and best practices and understand FedRAMP requirements and JAB interpretation of controls.
  • Our teams are highly experienced and well versed in NIST 800-53 and DoD requirements and how they relate to commercial cloud environments.
  • Interactive Security has been providing assessment services since 2001.

Industry Leadership

Since FedRAMP’s inception, Interactive Security has been a charter member and active contributor to the 3PAO Special Interest Group (SIG) and other key initiatives organized by the FedRAMP Program Management Office (PMO) and the FedRAMP working group with the ACT-IAC. Our leadership team continues to participate as thought leaders in the FedRAMP community through speaking engagements and expert panels.

FedRAMP

  • Readiness Assessment
  • Assessment
  • Consulting / Advisory

Are you wondering about your organization’s FISMA and FedRAMP Certifications? Contact the Interactive Security team at 267-824-2500 or sales@intactsec.com. We can help you understand the specific steps your organization needs to take to get up to date.