Federal Risk and Authorization Management Program

Booz Allen Can Help You with Effective Cybersecurity and Cloud Solutions

We’re the first accredited 3PAO that is ISO/IEC 17020 compliant—and we use our vast cybersecurity knowledge base and experience to streamline the security risk assessment process. This process allows cloud service providers (CSP) to efficiently gain a FedRAMP accreditation. Our team has prepared security accreditation packages for multiple clients with large, complex information systems and successfully ushered these packages through the accreditation process. In addition, we’re a leading provider of cybersecurity capabilities, and we’ve designed, architected, and implemented cloud solutions across the full spectrum of cloud service and deployment models.

The FedRAMP Process

FedRAMP is a government-wide program managed by the General Services Administration (GSA). FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government. The approach relies heavily on the use of a 3PAO to perform independent security assessments and continuous monitoring. A 3PAO is required for a CSP to gain and maintain its FedRAMP accreditation. GSA requires CSPs seeking FedRAMP accreditation to use an accredited 3PAO to provide an independent verification and validation of the security implementations. To maintain an accreditation, a CSP must also utilize a 3PAO to meet FedRAMP’s continuous monitoring requirements.

FedRAMP Service Offerings

FedRAMP Readiness Assessment

For CSPs looking to enter the FedRAMP accreditation process, we offer a quick-look FedRAMP readiness assessment. We’ll conduct a gap analysis of a cloud solution’s compliance and risk posture relative to FedRAMP controls to provide risk-based recommendations to facilitate FedRAMP compliance. The primary deliverable is a gap report containing an identified list of deficiencies and recommended mitigations. The quick-look FedRAMP readiness assessment is also beneficial to CSPs that are looking to determine whether to pursue FedRAMP accreditation by providing fact-based data to make an informed business decision.

FedRAMP Security Package Development

For CSPs that have already decided to pursue a FedRAMP accreditation, we develop FedRAMP-compliant accreditation packages for your cloud solution. Quality and completeness of documentation are essential to a streamlined accreditation process. Our team of experts will work with your subject matter experts to collect, consolidate, and articulate technical information to properly report control compliance. This includes the development of the system security plan (SSP), configuration management plan, incident response plan, contingency plan, user guide, system architecture diagrams, and other security artifacts as dictated by FedRAMP requirements. The primary deliverable is a completed set of required FedRAMP security documentation.

Remediation Services

For CSPs remediating system vulnerabilities, we provide cybersecurity IT project management and technical services to ensure on-time and on-budget implementation of remediation efforts. Our experts manage and execute projects to mitigate vulnerabilities that are inhibiting FedRAMP compliance. The primary deliverable is a FedRAMP-compliant cloud solution.

3PAO Security Risk Assessment

For CSPs seeking a 3PAO, we conduct an independent risk assessment using FedRAMP-provided templates (e.g., system assessment plan [SAP]), system assessment report (SAR), and test cases workbook. This includes security testing of FedRAMP controls, vulnerability scanning, security configuration scanning, onsite validation of physical and environmental controls, database scanning, penetration testing, and web application scanning. The primary deliverables are a completed SAP, SAR, and test results that are reported in compliance with FedRAMP and ISO standards.

3PAO Continuous Monitoring Services

For accredited CSPs, we offer annual security assessments. We perform an abbreviated security risk assessment based on significant changes to the system’s configuration baseline. Other services include annual penetration testing and vulnerability scanning of operating systems/infrastructure, databases, and web applications. Primary deliverables include an updated SAR and vulnerability scan findings.

Contact Us