SOC 2 & XRAMP – Assessments Evolved

In 2022, Fortreum piloted the idea of XRAMP, a new way of going about performing #FedRAMP engagements. The idea was formed from understanding that the concept of continuous assurance isn’t new and the traditional assessment model would not change overnight, but there absolutely had to be a way improve it. ?We now have had multiple clients go through their annual FedRAMP effort using the #XRAMP methodology, with more signing up all the time!

“XRAMP will normalize audit cycles, improve security assurance visibility and minimize organizational impact over time”

What is XRAMP and how does it work?

The goal with XRAMP is to normalize the audit process by architecting an extensible framework and workflow process to support continuous auditing. This will provide CSPs a more predictable audit workflow, which in turn should provide a higher security assurance level and reduce internal operations and engineering time.

“XRAMP is the future – one that reduces audit fatigue on service and compliance teams”

Using the XRAMP methodology, Fortreum works with key stakeholders to align the FedRAMP audit and other compliance initiatives for the year into a consolidated audit work stream. We take into account regulatory frameworks, authorization dates, timeliness of evidence, and future business needs for the year/outyears. You get a team of subject matter experts (as a service), monthly and quarterly checkpoints, and a forecasted control set with a detailed roadmap for the authorization year. Please note, initial cloud systems must undergo an initial FedRAMP authorization prior to enrolling in XRAMP.

As an example, after establishing the plan for the year, we may test access controls (via walkthroughs, screenshot evidence, and some testing) in month 3 of the year, impacting the client stakeholders for AC only in that month.? Similarly, each FedRAMP control family will be assigned to a single month in coordination with the client, then at the end of the Authorization to Operate (ATO) period, produce the Security Assessment Report (SAR) for authorization.? We’ve tested this method with the FedRAMP Program Management Office (PMO) and it works!

Great!? What about SOC 2?

In one of my previous articles, we discussed performing #SOC2 along with other assessments. So, what about SOC 2 and XRAMP?? Well, the methods of doing SOC 2 engagements have been varied since its inception and there is no “one way” to do them.

Often, we see auditors performing procedures for all controls toward the end of the audit period.? Other times, we see auditors do “interim” testing (where some controls are tested at points during the period). Doing SOC 2 with XRAMP leans more towards the latter. Considering a similar methodology as my previous article (where two frameworks are being tested in conjunction with each other), you would determine which controls from the NIST families overlap, then come up with a test plan, and test in the month that XRAMP is doing their testing. Finally, you would “catch up” any SOC 2 sample testing for the remainder of the period when the Type 2 period is ending. While this adds some additional work for SOC 2, it would be significantly less than doing the entire SOC 2 Type 2 in month 12 of an annual audit.

Going back to our testing AC in month 3 example, if SOC 2 determines there are 5 AC controls from NIST that overlap with SOC 2, the walkthroughs, interviews, and screenshots for those 5 controls would be reused for the SOC 2 effort. Also reused would be any sample testing conducted at that time. Now, assuming the operation of the control doesn’t change for the rest of the period (hint – this should be confirmed by the SOC auditor at the end of the period), the auditor would then sample test the remaining population from months 4-12 to get the total sample size needed for SOC 2. The rest of the testing is still valid!

Assessments Evolved

Many of us have heard, read, or even used GRC automation tools, which help with continuous monitoring and assessment of the control environment for clients. It makes sense that continuous external assessment, even at the highest levels, would be next. XRAMP is a methodology, providing a new way of doing FedRAMP and other assessments. Eventually, I see XRAMP and some of these automation tools working together to support the continuous assessment of clients, making audits more accurate, efficient, and in-depth than ever before.

Fortreum is the fastest growing FedRAMP 3PAO in the marketplace and has collectively worked on FedRAMP engagement lifecycles since the inception of the program. Should you have questions about anything FedRAMP from your transition to Rev 5, to XRAMP, to just getting started please reach out to us at [email protected].

Hey #cpafirms! ?? If you have clients that you are doing SOC work for, but are in need of FedRAMP help, @Fortreum can work with you! As one of the top 3PAOs in the FedRAMP program, we have staff that understand FedRAMP in-depth, but also have an understanding of what your firm would need for SOC. Our team can work with you to coordinate efforts and share resources and documentation, all while ensuring your client stays within a trusted network with trusted advisors. Whether you want to do a traditional audit, or try working with our XRAMP methodology, let us know and we can help!