SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What are Schellman's FedRAMP Capabilities?

FedRAMP | Federal Assessments

Do you enjoy pizza? Maybe you prefer it plain with cheese, or maybe you need that pepperoni spike of flavor. Perhaps you’re more adventurous and order ham and pineapple—some folks even like it with SPAM.

Schellman’s suite of services is a bit like pizza toppings—you can choose from SOC, ISO, PCI, HITRUST, NIST, CMMC, and various privacy initiatives among our other services. If you’re a cloud service provider (CSP) seeking FedRAMP Authority to Operate (ATO), you’ve already decided on your “topping” of choice. Now you’re wondering if Schellman is the right compliance firm to make“the pizza” for you.

That’s what we’re going to address in this article—what sets Schellman apart from your other Third Party Assessment Organization (3PAO) options? What can we offer you within the FedRAMP Program? After reading this, you’ll know 3 things you can expect of Schellman on your road to ATO.

What is FedRAMP?

For the sake of thoroughness, let’s establish what you need first. FedRAMP was created by the federal government to provide CSPs with a means to provide services to the federal government while reducing the risk taken on by the government.

CSPs can achieve these means by having their security posture, data processing, and data residence assessed by an approved 3PAO.

What Will You Get with Schellman’s Team?

Schellman is one such accredited 3PAO. We were founded back in 2002 as providers of SAS 70 audits—the predecessor to SOC—and have since grown dramatically, adding complementary services over the years. We currently offer clients over 30+ different assessment services, including other federal offerings such as CMMC 2.0, NIST 800-171, NIST 800-53, RMF, FISMA, ITAR, and CJIS assessments.

As the #2 provider of FedRAMP assessment services per the FedRAMP Marketplace, partnering with Schellman presents organizations with a unique opportunity given our ability to deliver multiple compliance assessment services as a single provider. If you were to need multiple compliance assessments or cybersecurity services, we would provide an integrated project team and methodology to streamline achieving the various objectives.

But if it’s just FedRAMP you’re after, that’s okay too—we have a team of highly specialized assessors that actively engages with the FedRAMP Program Management Office (PMO), Defense Information System Agency (DISA), and the CMMC Cyber Accreditation Body (The Cyber AB) regularly as part of our assessment activities and at their request to provide ideas for methodology and program refinement.

You’re also likely wondering about our penetration test team. Though pen tests have been a required part of the FedRAMP assessment for a while, now—after the release of NIST 800-53 Rev 5red team exercises are also now required. Our team is capable of performing both, and while you can read more about their qualifications in our article here, at the very least know that they all have their Offensive Security Certified Professional certification and several years of penetration testing and technical experience.

 

Schellman’s FedRAMP Capabilities

 

 

1. We Are Solely Focused on FedRAMP Assessment Services (Type A 3PAO).

 

One of the most important things to understand going into your search for the right 3PAO is that many firms do offer both assessment and advisory services. Because the process to achieve a FedRAMP ATO is very high stakes, it’s often recommended that organizations engage a consultant to advise them—just know that if you do, you cannot use that same firm to perform your FedRAMP assessment.

Unlike firms that do provide both, Schellman performs assessments exclusively (though we do want to help you to find the right advisory partner). Why is the right FedRAMP advisor important?

Because from a technical compliance perspective, FedRAMP is one of the higher bars to meet. As such, you’re going to need experienced IT and security engineers that are familiar with technical compliance—preferably ones that have actual experience with FedRAMP—to either:

  • Help ensure that your existing environment can meet FedRAMP requirements; or
  • Help you build a new environment that meets FedRAMP requirements.

You might already have this experience internally, but if not, an advisory firm that is accustomed to building infrastructure with a defense-in-depth approach could help you immensely.

But your build-out isn’t the only critical thing in your pursuit of FedRAMP—you do, of course, need to get through an assessment and ensure it’s as thorough as possible to avoid any hiccups with the FedRAMP PMO and/or DISA. In working with Schellman for this phase, you can be sure of two things:

  • That our team of qualified assessors will be the absolute best team we have to offer; and
  • They will be completely focused on ensuring your FedRAMP assessment more than satisfies the PMO and/or DISA. 

2. We Can Handle Any FedRAMP Assessment You Need.

 

Depending on where you are in your FedRAMP journey and what you need—as well as what approach you’re taking to authorization—you may need different types of assessment(s), and Schellman can help you with a number of those:

Assessment Type

Details

Readiness Assessments Reports (RAR)

  • Though these are not requisite ahead of agency-sponsored security assessments, if you’re going the Joint Advisory Board (JAB) route you must undergo one of these (in addition to the full security assessment that follows).
  • Despite it not being a formal requirement for those with agency sponsorship, some CSPs still opt to do these to help gauge their ability to successfully complete a full security assessment.
  • In our experience, organizations that have developed their environments but aren’t leveraging an advisor or those without an agency sponsor commonly complete a RAR.

Security Assessments

  • These are the primary FedRAMP assessments, and there are two types:
    • The initial: Includes all the controls within your risk categorization
    • The annual: Performed after the initial and every year following—about two-thirds of the controls within your risk categorization will be assessed during these.
* Both the initial and the annual require penetration testing as well as a red team assessment, so it will be important to make sure you understand the differences between both necessary exercises.
  • Much about these depends on the risk categorization of your environment—the category you fall into will determine the breadth of your assessment as well as the prescriptiveness of each control (the higher the risk rating, the more controls and, often, the higher the control parameter).

 

Schellman can handle any assessment, no matter the risk category, but what can you expect from each?

 

Risk Category

Details

Low Risk

  • Number of base controls: 156
  • Sometimes referred to as Li-SaaS assessments, these can be tailored—depending on your sponsoring agency’s risk tolerance, they may add additional controls that must be implemented. Not only that, but they may also add prescriptiveness to the base controls.

Moderate Risk

  • Number of base controls: 323
  • This is the most common security assessment we see as 3PAOs.
  • Because of the sheer number of base controls, oftentimes these won’t necessitate any additional tailoring or controls from your agency.
  • (There are exceptions, the most common of which are assessments performed in support of seeking authorization from a Department of Defense (DoD) agency).

High Risk

  • Number of base controls: 410
  • These are the second most common type and there’s the same caveat that your agency may require additional controls.

 

3. We’re Nimble with the Ability to Adapt.

 

If you’re looking for that extra layer of comfort in your 3PAO’s capabilities—or your agency asks you to take the controls being assessed a step further—you might need your 3PAO to be able to pivot to accommodate control overlays. You and your agency may require specific additional requirements that can include privacy, ITAR, or FISMA controls, and that’d be no problem for our team given the depth of our experience and resources.

In other cases, you may also need to have impact level (IL)4, IL5, or even IL6 controls assessed. Even though these are DoD controls prescribed by DISA, you can have them assessed in tandem with your FedRAMP High or Moderate environment.

Our FedRAMP team is practiced in reviewing the documentation for the legal and privacy ramifications and the relevant controls that come into play here, and—as we mentioned before—we’re very familiar with DISA as well. We feel confident that we can handle any unique assessment details that you may need.

Next Steps for Finding Your 3PAO

Nobody wants to eat a subpar pizza, but it helps when the one you order suits your tastes—or in the case of your FedRAMP 3PAO, your needs. Schellman’s established footprint within the FedRAMP Marketplace does indicate some of our capabilities, but to learn more details about our offerings and how we can help you, please reach out to us so that we can schedule a conversation to discuss a possible partnership.

In the meantime, check out our other content regarding FedRAMP that can help you further prepare for this process:

About Andy Rogers

Andy Rogers is a Lead Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 20 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.