FedRAMP for CPAs - the basics

In today’s digital landscape, trust is paramount. As organizations increasingly rely on cloud services and handle sensitive data, ensuring robust security controls becomes non-negotiable. While SOC 2 has had a hold on the industry for a while now, dominating the commercial market as a “gold standard”, we’re hearing more and more from clients about a framework that #CPA firms have not traditionally participated in - FedRAMP.

Abbreviations:

• #FedRAMP - Federal Risk and Authorization Management Program
• #3PAO - third party assessment organization (audit or consulting firm)
• SSP - system security plan
• SAP - security assessment plan
• RET - risk exposure table
• POA&M - plan of action and milestone
• SAR - security assessment report
• JAB - joint authorization board
• PMO - program management office

What is FedRAMP?

FedRAMP is a federal mandate and is the highest standard (IMO) for cloud security (specifically in the federal space). If a cloud client serves federal agencies, FedRAMP certification is a must. It ensures that their cloud services meet stringent security standards set by the U.S. government.?

What is the FedRAMP process?

At a high level, most FedRAMP engagements include a planning/kickoff phase, a testing phase, a writeup phase, a remediation phase, and a reporting phase. Before any of that though, the client will go through an extensive preparation process, which not only includes the development and operation of policies and procedures, but the development of FedRAMP documents (such as a SSP) which often requires the assistance of a consulting FedRAMP 3PAO.

Once ready, the audit is kicked off and a SAP is agreed upon between the client, 3PAO, and government agency. Document gathering also begins with the audit 3PAO. Testing includes interviews, walkthroughs, screenshares, and sample testing (following the NIST guidance of Interview/Examine/Test). The 3PAO also conducts vulnerability scans and penetration testing as required under FedRAMP during the testing phase. All parts then undergo a writeup phase, where the testing procedures are documented, and results are shown. Any deficiencies found are listed in a RET table, which the client then has the ability to remediate before submission to the government for authorization.?

After whatever RET findings are closed (remediated) and re-tested, a final SAR is completed for submission to the government agency or JAB (more on that below). NOTE - the final SAR also includes any final findings in a RET table, and now these are considered POA&Ms for the system (to be fixed after authorization). Once approved by the JAB, it's listed as authorized on the FedRAMP marketplace. Once approved by the Agency, the package is then routed to the FedRAMP PMO for a completeness check before being listed as authorized on the marketplace.

FedRAMP assessments are annual efforts, however, the initial assessment is a larger testing scope than annual assessments (similar to the ISO model).

What is agency vs. JAB?

Typical FedRAMP authorization paths are either a federal agency or through the JAB. An agency will have an authorizing official (typically an executive at that agency) that ultimately “signs off” on authorizing the client’s system (for FedRAMP). With the other path, think of the JAB as a FedRAMP “board” that consists of various individuals that have to come to a consensus on a SAR package/system authorization. For that reason, many clients choose to utilize the agency path due to it being a faster/”easier” way to get an authorization done.

FedRAMP Marketplace

The FedRAMP Marketplace is where you can find listings of 3PAOs, authorized systems, and other FedRAMP information. Once a client begins the FedRAMP journey (and has an agency sponsor or registered with the JAB) they can be listed in the marketplace as “in process”. After the assessment is complete and the system is authorized, they then are listed as “FedRAMP authorized” in the marketplace.

FAQs

What if my client doesn’t deal with federal agencies or have U.S. government info??

Some companies want the highest level of audit, but don’t really have a reason to do FedRAMP specifically.? So, they’ll do a FedRAMP “like” audit (basically doing a FedRAMP audit without the issuance of a SAR to an agency or the JAB). Another option that some clients do is getting “FedRAMP Ready”, which means that they undergo a formal FedRAMP Readiness Assessment by a 3PAO. This is a validation of a subset of controls, with a heavy focus on authorization boundary and federal mandate requirements. Once completed, it is submitted to the FedRAMP PMO for review/approval. If approved, they are listed as FedRAMP ready on the marketplace. This is helpful for anyone who doesn't have a contract with a federal agency but is looking to start selling its services to one.

Is FedRAMP a period of time or point in time audit and what is the extent of testing?

Because FedRAMP is an authorization (similar to a certification), it is point in time. Testing, therefore, is more about a control being implemented and operating as designed as of that authorization date. In turn, sample testing is typically smaller compared to other frameworks (such as SOC 2). However, the real depth of FedRAMP comes from the extent of testing involved with NIST 800-53 (which is the control framework that FedRAMP is based on). The NIST families are extensive both horizontally and vertically, meaning they span a wide area of the security control environment for a client, and they also go deep in evaluating the controls in the environment. Some NIST controls could have multiple “objectives”, each of which may require a different type of test.

What is the LOE for FedRAMP and cost for the client?

Considering the extent of manual/control testing, pen testing, and vulnerability scanning, the LOE for a FedRAMP assessment is high (which in turn means these audits are expensive!). Clients also have to consider the cost (both monetarily and internal team time) of developing policies, procedures, and controls that will meet FedRAMP requirements, as well as the cost of (a consulting 3PAO) help with FedRAMP package development. Adding it all up, it can be an investment of hundreds of thousands of dollars for a client, therefore they definitely need to run a cost/benefit analysis to determine if the amount of work/revenue from the agency or other customers is worth the cost investment.

Why don’t more CPA firms become 3PAOs?

The process to become a 3PAO is extensive and costly. In addition, your firm is “signing off” on a SAR for authorization (essentially saying to the federal government, “this system is good for authorization”) - many firms just don’t want to do it. Also, for many firms they just don’t have the number of clients pursuing FedRAMP (for the cost/benefit reasons above) to justify their own cost of getting (and maintaining) 3PAO status.

Fortreum

That’s where Fortreum comes in. We are an industry-recognized and respected 3PAO, being led by individuals that have been involved in the program since its inception. If your firm has clients that are considering, or are committed to, undergoing the FedRAMP process, we can help. As a friend of CPA firms, we hold all our partnerships in the highest regard and treat clients with the utmost care. Just some examples of what we've done to help FedRAMP clients:

• Business case discussions
• Scoping
• Roadmapping
• Assessment
• Federal agency or JAB interface
• Training
• Advisory

Give us a call or reach out to me at [email protected] to learn more about how we can help your #cpafirm with client needs.