SOC 2 & XRAMP – Assessments Evolved

SOC 2 & XRAMP – Assessments Evolved

In 2022, Fortreum piloted the idea of XRAMP, a new way of going about performing #FedRAMP engagements. The idea was formed from understanding that the concept of continuous assurance isn’t new and the traditional assessment model would not change overnight, but there absolutely had to be a way improve it. ?We now have had multiple clients go through their annual FedRAMP effort using the #XRAMP methodology, with more signing up all the time!

“XRAMP will normalize audit cycles, improve security assurance visibility and minimize organizational impact over time”

What is XRAMP and how does it work?

The goal with XRAMP is to normalize the audit process by architecting an extensible framework and workflow process to support continuous auditing. This will provide CSPs a more predictable audit workflow, which in turn should provide a higher security assurance level and reduce internal operations and engineering time.

“XRAMP is the future – one that reduces audit fatigue on service and compliance teams”

Using the XRAMP methodology, Fortreum works with key stakeholders to align the FedRAMP audit and other compliance initiatives for the year into a consolidated audit work stream. We take into account regulatory frameworks, authorization dates, timeliness of evidence, and future business needs for the year/outyears. You get a team of subject matter experts (as a service), monthly and quarterly checkpoints, and a forecasted control set with a detailed roadmap for the authorization year. Please note, initial cloud systems must undergo an initial FedRAMP authorization prior to enrolling in XRAMP.

As an example, after establishing the plan for the year, we may test access controls (via walkthroughs, screenshot evidence, and some testing) in month 3 of the year, impacting the client stakeholders for AC only in that month.? Similarly, each FedRAMP control family will be assigned to a single month in coordination with the client, then at the end of the Authorization to Operate (ATO) period, produce the Security Assessment Report (SAR) for authorization.? We’ve tested this method with the FedRAMP Program Management Office (PMO) and it works!

Great!? What about SOC 2?

In one of my previous articles, we discussed performing #SOC2 along with other assessments. So, what about SOC 2 and XRAMP?? Well, the methods of doing SOC 2 engagements have been varied since its inception and there is no “one way” to do them.

Often, we see auditors performing procedures for all controls toward the end of the audit period.? Other times, we see auditors do “interim” testing (where some controls are tested at points during the period). Doing SOC 2 with XRAMP leans more towards the latter. Considering a similar methodology as my previous article (where two frameworks are being tested in conjunction with each other), you would determine which controls from the NIST families overlap, then come up with a test plan, and test in the month that XRAMP is doing their testing. Finally, you would “catch up” any SOC 2 sample testing for the remainder of the period when the Type 2 period is ending. While this adds some additional work for SOC 2, it would be significantly less than doing the entire SOC 2 Type 2 in month 12 of an annual audit.

Going back to our testing AC in month 3 example, if SOC 2 determines there are 5 AC controls from NIST that overlap with SOC 2, the walkthroughs, interviews, and screenshots for those 5 controls would be reused for the SOC 2 effort. Also reused would be any sample testing conducted at that time. Now, assuming the operation of the control doesn’t change for the rest of the period (hint – this should be confirmed by the SOC auditor at the end of the period), the auditor would then sample test the remaining population from months 4-12 to get the total sample size needed for SOC 2. The rest of the testing is still valid!

Assessments Evolved

Many of us have heard, read, or even used GRC automation tools, which help with continuous monitoring and assessment of the control environment for clients. It makes sense that continuous external assessment, even at the highest levels, would be next. XRAMP is a methodology, providing a new way of doing FedRAMP and other assessments. Eventually, I see XRAMP and some of these automation tools working together to support the continuous assessment of clients, making audits more accurate, efficient, and in-depth than ever before.


Fortreum is the fastest growing FedRAMP 3PAO in the marketplace and has collectively worked on FedRAMP engagement lifecycles since the inception of the program. Should you have questions about anything FedRAMP from your transition to Rev 5, to XRAMP, to just getting started please reach out to us at Compliance@fortreum.com.


Hey #cpafirms! ?? If you have clients that you are doing SOC work for, but are in need of FedRAMP help, @Fortreum can work with you! As one of the top 3PAOs in the FedRAMP program, we have staff that understand FedRAMP in-depth, but also have an understanding of what your firm would need for SOC. Our team can work with you to coordinate efforts and share resources and documentation, all while ensuring your client stays within a trusted network with trusted advisors. Whether you want to do a traditional audit, or try working with our XRAMP methodology, let us know and we can help!

要查看或添加评论,请登录

Jeff Cook的更多文章

  • SOC 2 vs. FedRAMP - BONUS!

    SOC 2 vs. FedRAMP - BONUS!

    (Similarities between the two frameworks) In my article yesterday, I discussed some of the key differences between…

  • SOC 2 vs. FedRAMP - the main differences

    SOC 2 vs. FedRAMP - the main differences

    As a follow on to my previous article on what #CPAfirms need to know about #FedRAMP, this article is meant to…

    8 条评论
  • FedRAMP for CPAs - the basics

    FedRAMP for CPAs - the basics

    In today’s digital landscape, trust is paramount. As organizations increasingly rely on cloud services and handle…

    2 条评论
  • Some "Secrets" of SOC 2

    Some "Secrets" of SOC 2

    Psst, over here. Do you get frustrated when the AICPA SOC 2 guide doesn’t get you quite the information you’re looking…

    12 条评论
  • Misconceptions in SOC 2

    Misconceptions in SOC 2

    #SOC2 gets a lot of attention these days. With that, there tend to be some common misconceptions out there that I will…

    3 条评论
  • Why a Qualified Opinion isn't the End of the World in SOC 2

    Why a Qualified Opinion isn't the End of the World in SOC 2

    “Clean” (unqualified) SOC 2’s. It’s what everyone wants, but what happens if your report is not and you are looking at…

    3 条评论
  • SOC 2 & Other Frameworks - Part 2 - Concurrent Audits

    SOC 2 & Other Frameworks - Part 2 - Concurrent Audits

    In my previous article, I discussed the various options for performing other frameworks along with SOC 2, focusing…

  • SOC 2 & Other Frameworks - Options and What You Need to Know (Part 1)

    SOC 2 & Other Frameworks - Options and What You Need to Know (Part 1)

    With so many frameworks now in the #GRC world (our latest to join the party being #CMMC), we continue to see more…

    10 条评论
  • What to look for when using technology platforms in a financial audit

    What to look for when using technology platforms in a financial audit

    The growth in adoption of technology for both client and auditor has been exponential for a while now. It boggles my…

    1 条评论
  • SOC 2 – Independence & Ethics (2022 SOC 2 Guide)

    SOC 2 – Independence & Ethics (2022 SOC 2 Guide)

    #cpa responsibilities around #independence and ethical requirements have been around a long time (and are applicable to…

    2 条评论

社区洞察

其他会员也浏览了