What to Expect from a FedRAMP High Assessment
If you’re considering undergoing a FedRAMP High Assessment, you must understand that this is the most rigorous baseline among the standard FedRAMP options, making it a daunting—if necessary—endeavor. What would likely help is knowing what’s coming in more detail so that you can better prepare.
As the current leading provider of FedRAMP assessments on the Marketplace, we’re here to give you the information that you need for success. In this article, we’ll explain what the FedRAMP High baseline is, what goes into the specific process—including relevant important changes in NIST SP 800-53 Rev5 —and how to set your organization up for success.
What is the FedRAMP High Baseline?
As we mentioned earlier, FedRAMP High is the most rigorous standard baseline, and that’s because when you select this baseline, you’re basically saying that the loss of CIA within your cloud service offering (CSO) would create a catastrophic effect on your organization and related parties, including your federal agency customers and users.
As such, the FedRAMP High baseline—in a big step up from the Low and Moderate alternatives— contains the greatest number of base controls that you must implement to meet the standard:
Baseline |
Base Controls |
---|---|
Low Tailored / Low Impact SaaS (LI-SaaS) |
156 |
Moderate |
323 |
High |
410 |
Not only that, but you can also expect to have to meet increased requirement levels for many of the standard controls included in the Moderate and Low Baselines, and the updated control requirements in NIST SP 800-53 Revision 5 result in even more obstacles to face, including:
- The control families in scope for the High assessment increased from 17 to 18 to now encompass controls for Supply Chain Risk Management (SR).
- There were also further updates to nearly 100 existing controls.
What are the FedRAMP High Baseline Control Families?
Below is a breakdown of the complete set of NIST 800-53 Control Families, as well as what to include within your CSO’s System Security Plan (SSP) and control implementations at the High Impact Level:
Control Family |
Overview of What Will Be Tested |
---|---|
AC Access Control |
Administrative and technical controls regarding user account management as well as role-based access controls |
AT Security Awareness Training |
Security and privacy awareness program content, tracking, and training record retention NOTE: Rev 5 includes updated requirements for Privacy related training |
AU Audit and |
Security Information and Event Manager (SIEM), log content, log management, alerting, monitoring, as well as log retention configurations NOTE: Revision 5 updated the audit log retention requirements to align with Executive Office Memorandum M-21-31. |
CA Security Assessment |
Penetration testing, continuous monitoring of the environment’s security posture, system interconnections, Plan of Action and Milestones (POA&M), and overall program monitoring NOTE: Revision 5 Baseline includes a requirement for organization-defined red team exercises in CA-8(2). |
CM Configuration |
Baseline management, a change management control process, inventory, baseline and configuration scanning, system hardening, and a Configuration Management Plan (CMP) NOTE: Revision 5 requires the leveraging of DISA Security Technical Implementation Guides (STIGs) for their baseline configuration settings, as well as tracking any failed baseline checks and warnings from compliance scans. |
CP Contingency Planning |
Data and environment backup, recovery, availability, and contingency plans and testing |
IA Identification and Authorization |
Identification and verification of personnel, password and authenticator management, Common Access Card (CAC) / Personal Identity Verification (PIV) multi-factor authentication (MFA) processes and mechanisms, etc. NOTE: Revision 5 includes the requirement for phishing-resistant MFA and includes new controls for Identity Proofing that align with the Digital Identity Level Requirements (Level 3 corresponds to the High Baseline – IAL3, AAL3, and FAL3 alignment are all required). |
IR Incident Response |
Discovery, investigation, reporting, and tracking of incidents NOTE: Revision 5 Baseline includes a requirement for functional IR testing to be completed at least annually (IR-3). |
MA Maintenance |
Tracking and logging of maintenance (sometimes this process can be incorporated into your Configuration Management Process) |
MP Media Protection |
Management, storage, protection, tracking of media, and media sanitization testing |
PE Physical and |
Physical and environmental controls, access control and management of data centers, secure areas, server rooms, etc., as well as management and tracking of related personnel |
PL Security Planning |
SSP, documentation of the system boundary and environment, architecture, network, and data flow diagrams NOTE: Revision 5 includes the added requirement for privacy planning and analysis as a part of your SSP development. |
PS Personnel Security |
Personnel and contractor management, including onboarding, termination, transfers, and sanctions |
RA Risk Assessments |
Risk assessment and designations, vulnerability scanning—and remediation—mechanisms, and processes, as well as infrastructure/OS scans, database scans, web application/API scans, and container scans NOTE: Revision 5 Baseline includes a new focus on Supply Chain Risk Assessments in RA-3(1) as well as the required establishment of a Public Disclosure Program in RA-5(11). |
SA System and Services Acquisition |
Software development lifecycle (SDLC) processes and management, including static and dynamic code analysis, vendor management, external system interconnections, third-party risk, and service acquisition NOTE: Revision 5 Baseline included an updated focus on security and privacy requirements for the system development process. |
SC System and Communications |
Protection of external/internal data-in-transit, data-at-rest, internal/external encryption (FIPS 140-2 cryptography), Public Key Infrastructure (PKI), implementing subnets, and boundary protection mechanisms NOTE: Rev 5 introduced SC-45 and SC-45(1) System Time synchronization testing which pulled control implementations from AU-8 and AU-8(1). |
SI Systems and |
Information system monitoring, verification of the functionality and security of the system, including flaw remediation, file integrity monitoring, antivirus, spam protection, etc. |
New Control Family Defined in NIST 800-53 Rev 5 FedRAMP Baseline |
|
SR Supply Chain Risk Management |
Supply chain risk management plan documenting all the planned execution of supply chain security requirements as well as anti-counterfeit training, alerting, and integration with the service provider’s Incident Response Plan |
What is the FedRAMP High Baseline Assessment Process?
Once you’ve made all the necessary implementations for the High baseline, your FedRAMP assessment process can be broken into two stages.
Stage 1
First, you’ll conduct planning and preparation activities while working alongside your 3PAO to complete the Security Assessment Plan (SAP) which will:
- Document the scope of manual controls testing and penetration testing (including a review of the penetration testing vectors in scope)*;
- Identify the controls to be assessed**; and
- Detail the sampling methodology to be used by the 3PAO during the assessment.
* Please note the requirement for a cloud service provider (CSP) to conduct penetration testing is separate from the CA-8(2) requirement for a provider to complete red team exercises. (This holds true for both FedRAMP High and Moderate Assessments.)
** During an initial assessment, all 410 of the High Baseline Controls will be in scope whereas during the following annual assessments, that number will be reduced to a core set of annual controls along with roughly one-third of the remaining controls tested during the initial assessment.
Stage 2
Once the SAP is set, the bulk of testing activities will begin, the results of which will ultimately result in the Security Assessment Report (SAR). Overall, Stage 2 assessment activities should include:
- Execution of the penetration test
- Interviews and discussions on CSO control implementations with system owners
- Inspection of evidence provided and observations of controls in place
- Analysis of vulnerability scans and related reporting
How to Prepare for a FedRAMP High Assessment
So how to get through this successfully? Your preparation and planning will be key, especially now, given the transition to Revision 5, as the additions will mean more resources and effort need to be directed toward developing a detailed SSP and ensuring new controls are accurately implemented throughout your system environment.
Some areas of focus that we recommend you pay particular attention to during your initial preparation include:
- (SC-13) Cryptographic Protection
- Focus especially on the implementation of FIPS 140-2 validated cryptographic modules throughout your system environment for the protection of all data-at-rest and data-in-transit, as well as in multi-factor authenticators.
- During your assessment, your 3PAO will need to verify the active status and FIPS-enabled mode of operation for each of the offering’s cryptographic modules—if there are any issues identified during this process, it could be a showstopper for your assessment.
- (RA-5) Vulnerability Monitoring and Scanning
- For the High Assessment, your requisite monthly scans must be performed in an authenticated manner for all components within the CSO’s Authorization Boundary, including infrastructure/OS, database, web application, and container vulnerability and compliance baseline scans. (This level of depth for vulnerability scanning is the same for both FedRAMP High and Moderate Assessments.)
- Moreover, any open vulnerabilities identified that remain open at the end of the assessment period must be reported within the SAR.
- (CM-6) Configuration Settings
- Remember that Revision 5 requires CSPs to document and track all failed compliance checks and compliance scan warnings as a part of their Continuous Monitoring Process and any failed checks and warnings will likely be reviewed, verified, and tracked by your 3PAO and included in your final assessment report.
- Moreover, please note the benchmark requirements for these compliance scans are set to the most to-do-date version of the DISA STIG baselines.
- (AU-11) Audit Log Retention
- Due to Revision 5’s updated guidance for AU-11 (Audit Record Retention) that points to Executive Office Memorandum M-21-31, service providers should support data retention periods of 12 Months for data in Active Storage and 18 Months for that in Cold Data Storage.
- “Active Storage” = data stored in a manner that facilitates frequent use and ease of access
- “Cold Data Storage” = data storage in a manner that minimizes costs while allowing some level of access and use
- Due to Revision 5’s updated guidance for AU-11 (Audit Record Retention) that points to Executive Office Memorandum M-21-31, service providers should support data retention periods of 12 Months for data in Active Storage and 18 Months for that in Cold Data Storage.
- (IA-2 / IA-5 / IA-12) Digital Identity Level 3 Requirements
- For the FedRAMP High Baseline, Cloud Service Providers need to ensure their Service Offering aligns with the NIST SP 800-63-3 Digital Identity Level 3 Guidelines, which can be broken down into three core components:
- IAL – Identity Assurance Level (Level 3 for High)
- AAL – Authenticator Assurance Level (Level 3 for High)*
- FAL – Federation Assurance Level (Level 3 for High)
- For the FedRAMP High Baseline, Cloud Service Providers need to ensure their Service Offering aligns with the NIST SP 800-63-3 Digital Identity Level 3 Guidelines, which can be broken down into three core components:
*While each of the assurance levels requires additional layers of effort, this AAL3 level deserves specific focus, as one of the most common methods of achieving this standard requires physical hard token MFA devices (e.g., FIPS Validated YubiKeys).
- (IA-2) Phishing Resistant MFA
- Given Revision 5’s new IA-2 control requirement for Phishing Resistant forms of Multifactor Authentication (MFA), your Service Offering should have a much more direct pathway to implement this control requirement—many hard token MFA devices should support configurations for phishing resistance, but your team will need to verify these configurations are in place.
(For more information on some other common FedRAMP Assessment pitfalls, please click here.)
To minimize any potential gap in your security plan, your team needs to ensure everyone is on the same page from the beginning so that your team develops your systems in line with the requirements of the FedRAMP High Assessment.
The sooner you can begin bringing your CSO up to standard, the better, but you may find you need some outside help in this—if so, check out our article on FedRAMP consultants here.
Setting Clear Expectations for Your FedRAMP Process
You can expect the FedRAMP High Assessment to be an extensive process, and you should prepare your personnel for their participation. Should your 3PAO discover any discrepancies or missed implementations during their evaluation, they will report these risks to your team and note them in a Risk Exposure Table—a supplemental document that outlines all the risk-related findings identified during your FedRAMP Assessment and serves as the centerpiece for both your SAR and your potential recommendation for FedRAMP Authorization from your 3PAO.
After your assessment, your team will need to use all this information to create a Plan of Action and Milestones (POA&M) outlining your strategy for addressing any identified findings, and once complete, the SAR and supporting documents can be submitted via one of two authorization options (you’ll likely have already determined which road you’ll take before your assessment commences):
Now that you understand more about what to expect from a FedRAMP High Assessment, you can move forward to success through careful and specific planning and consideration. But should your team have any further questions about the complexities of this federal compliance program or Schellman’s role as a 3PAO, please feel free to contact us.
About Charles Turnbow
Charles Turnbow is a Senior Associate at Schellman. He previously served in the military as an intelligence officer before entering the civilian workforce as a strategic aerospace, intelligence, and security consultant supporting global operations within the Intelligence Community. Now at Schellman, Charles is focused on providing federal assessments.