What is involved in FedRAMP
Find out what the related areas are that FedRAMP connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a FedRAMP thinking-frame.
How far is your company on its FedRAMP journey?
Take this short survey to gauge your organization’s progress toward FedRAMP leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.
To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.
Start the Checklist
Below you will find a quick checklist designed to help you think about which FedRAMP related domains to cover and 65 essential critical questions to check off in that domain.
The following domains are covered:
FedRAMP, Chief Information Officer, Chief Information Officer of the United States, Cloud computing, Cloud computing issues, Cybersecurity, FIPS 199, Federal Information Security Management Act of 2002, General Services Administration, National Institute of Standards and Technology, Office of Management and Budget, Software as a Service, United States Department of Defense, United States Department of Homeland Security:
FedRAMP Critical Criteria:
Track FedRAMP goals and reinforce and communicate particularly sensitive FedRAMP decisions.
– What are your most important goals for the strategic FedRAMP objectives?
– Do we all define FedRAMP in the same way?
– Fedramp approved / compliant?
– FedRAMP approved/compliant?
– How to deal with FedRAMP Changes?
Chief Information Officer Critical Criteria:
Focus on Chief Information Officer management and describe which business rules are needed as Chief Information Officer interface.
– Marketing budgets are tighter, consumers are more skeptical, and social media has changed forever the way we talk about FedRAMP. How do we gain traction?
– Will FedRAMP have an impact on current business continuity, disaster recovery processes and/or infrastructure?
– Are we Assessing FedRAMP and Risk?
Chief Information Officer of the United States Critical Criteria:
Contribute to Chief Information Officer of the United States projects and stake your claim.
– Will FedRAMP deliverables need to be tested and, if so, by whom?
– Are accountability and ownership for FedRAMP clearly defined?
– Who needs to know about FedRAMP ?
Cloud computing Critical Criteria:
Derive from Cloud computing projects and find the ideas you already have.
– It is clear that the CSP will face a large number of requests from its customers to prove that the CSP is secure and reliable. There a number of audit and compliance considerations for both the CSP and the customer to consider in cloud computing. First, which compliance framework should a CSP adopt to satisfy its customers and manage its own risks?
– What impact has emerging technology (e.g., cloud computing, virtualization and mobile computing) had on your companys ITRM program over the past 12 months?
– What are the existing or planned mechanisms to assess the interoperability of different vendor implementations?
– What is the security gap between private cloud cloud computing versus client server computing architectures?
– How can a small cloud computing consultancy take advantage of the Federal Cloud Computing Strategy?
– How can cloud stakeholders ensure and promote the security of Cloud computing?
– Will Cloud Computing replace traditional dedicated server hosting?
– What are the challenges related to cloud computing data security?
– If your data is stored abroad whose foi policy do you adhere to?
– How can we best leverage cloud computing and obtain security?
– How is cloud computing shaping enterprise communications?
– Is there any recourses about cloud computing performance?
– What are the benefits of cloud computing to consumers?
– What are the usability issues around cloud computing?
– How do you prepare your data center for Cloud?
– How energy efficient is cloud computing?
– How do I estimate cloud computing costs?
– How do we keep improving FedRAMP?
Cloud computing issues Critical Criteria:
Audit Cloud computing issues management and adopt an insight outlook.
– Have the types of risks that may impact FedRAMP been identified and analyzed?
– Have all basic functions of FedRAMP been defined?
Cybersecurity Critical Criteria:
Have a session on Cybersecurity quality and change contexts.
– Can we describe our organizations policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?
– What are the current regulatory and regulatory reporting requirements in the United States (e.g. local, state, national, and other) for organizations relating to Cybersecurity?
– If the liability portion of a Cybersecurity insurance policy is a claims-made policy, is an extended reporting endorsement (tail coverage) offered?
– Has your organization conducted an evaluation of the Cybersecurity risks for major systems at each stage of the system deployment lifecycle?
– For the most critical systems, are multiple operators required to implement changes that risk consequential events?
– What training is provided to personnel that are involved with Cybersecurity control, implementation, and policies?
– Do we have a formal escalation process to address Cybersecurity risks that suddenly increase in severity?
– Havr we managed Cybersecurity in the replacement and upgrade cycle of its networked equipment?
– How much should we invest in Cybersecurity (and how should those funds be allocated) ?
– Do we appropriately integrate Cybersecurity risk into business risk?
– Are Cybersecurity criteria used for vendor and device selection?
– Are records kept of Cybersecurity access to key systems?
– what is our Ultimate Disaster Scenario?
FIPS 199 Critical Criteria:
Steer FIPS 199 projects and find answers.
– Can Management personnel recognize the monetary benefit of FedRAMP?
– Are there recognized FedRAMP problems?
Federal Information Security Management Act of 2002 Critical Criteria:
Brainstorm over Federal Information Security Management Act of 2002 planning and get answers.
– How will you know that the FedRAMP project has been successful?
– How much does FedRAMP help?
– What is Effective FedRAMP?
General Services Administration Critical Criteria:
Guard General Services Administration leadership and report on the economics of relationships managing General Services Administration and constraints.
– What new services of functionality will be implemented next with FedRAMP ?
– How will we insure seamless interoperability of FedRAMP moving forward?
– Why are FedRAMP skills important?
National Institute of Standards and Technology Critical Criteria:
Do a round table on National Institute of Standards and Technology results and oversee National Institute of Standards and Technology management by competencies.
– Do we cover the five essential competencies-Communication, Collaboration,Innovation, Adaptability, and Leadership that improve an organizations ability to leverage the new FedRAMP in a volatile global economy?
– Think about the kind of project structure that would be appropriate for your FedRAMP project. should it be formal and complex, or can it be less formal and relatively simple?
Office of Management and Budget Critical Criteria:
Shape Office of Management and Budget planning and display thorough understanding of the Office of Management and Budget process.
– Is FedRAMP dependent on the successful delivery of a current project?
– What will drive FedRAMP change?
Software as a Service Critical Criteria:
Investigate Software as a Service engagements and be persistent.
– Why are Service Level Agreements a dying breed in the software as a service industry?
– How important is FedRAMP to the user organizations mission?
– What are all of our FedRAMP domains and what do they do?
United States Department of Defense Critical Criteria:
Consider United States Department of Defense tasks and describe which business rules are needed as United States Department of Defense interface.
– What other jobs or tasks affect the performance of the steps in the FedRAMP process?
– Why is FedRAMP important for you now?
United States Department of Homeland Security Critical Criteria:
Troubleshoot United States Department of Homeland Security leadership and correct better engagement with United States Department of Homeland Security results.
– What are the key elements of your FedRAMP performance improvement system, including your evaluation, organizational learning, and innovation processes?
– When a FedRAMP manager recognizes a problem, what options are available?
– What are the Essentials of Internal FedRAMP Management?
This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the FedRAMP Self Assessment:
Author: Gerard Blokdijk
CEO at The Art of Service | http://theartofservice.com
Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.
To address the criteria in this checklist, these selected resources are provided for sources of further research and information:
FedRAMP External links:
The Next Steps for FedRAMP – Bowman & Company, LLP
FedRAMP program – GSA
FedRAMP – Official Site
Chief Information Officer External links:
Chief Information Officer – CIO Job Description
CHIEF INFORMATION OFFICER – Charles R. Drew …
What Is a Chief Information Officer? – Government …
Cloud computing External links:
AWS Cloud Computing Certification Program – aws.amazon.com
Compliant Cloud Computing Simplified – Lumen21
Microsoft Azure Cloud Computing Platform & Services
Cybersecurity External links:
Cybersecurity Resource Center – OPM.gov
FFIEC Cybersecurity Awareness
August 28, 2017: DFS Cybersecurity Regulation
FIPS 199 External links:
[PDF]FIPS 199/NIST 800-60 SYSTEM CATEGORIZATION
[PDF]FIPS 199, Standards for Security Categorization of …
[PDF]FIPS 199: New Standards for Security Caal Information …
Federal Information Security Management Act of 2002 External links:
Federal Information Security Management Act of 2002 …
General Services Administration External links:
[PDF]U.S. General Services Administration Calendar …
[PDF]GENERAL SERVICES ADMINISTRATION …
GSA – U.S. General Services Administration | OfficeSupply…
National Institute of Standards and Technology External links:
National Institute of Standards and Technology – YouTube
Office of Management and Budget External links:
[PDF]Office of Management and Budget – GPO
[DOC]OFFICE OF MANAGEMENT AND BUDGET
Office of Management and Budget | whitehouse.gov
Software as a Service External links:
Software as a Service | Accenture
Vendor Management Software as a Service (SaaS) …
What is Software as a Service (SaaS) – Salesforce.com
United States Department of Defense External links:
United States Department of Defense Standards of …
United States Department of Defense – Official Site
[PDF]United States Department of Defense (DoD) DoD …