Cloud Computing | FedRAMP | Federal Assessments
By:
Schellman
December 16th, 2021
If you’re a cloud service provider, you’re required to make it through the Federal Risk and Authorization Management Program (FedRAMP) in order to receive Authority to Operate (ATO) in the federal marketplace which allows you to provide your services and products for use by the federal government. There are two different avenues you can take to achieve ATO—through the Joint Authorization Board (JAB) or through an agency.
FedRAMP | Compliance and Certification | Federal Assessments
By:
Matt Hungate
September 15th, 2021
As a Third Party Assessment Organization (3PAO), Schellman has been performing FedRAMP security assessments for Cloud Service Providers (CSPs) since 2014. During this time, we have seen our CSP clients pioneer technologies that provide federal agencies an opportunity to leverage new and innovative cloud services, all while modernizing their approach to building, deploying, and managing applications through containerization. Though this gradual shift to containerizing system components has increased CSPs’ operational efficiency and scale, it has also introduced new security risks to FedRAMP systems.
Cybersecurity Assessments | FedRAMP | Federal Assessments
By:
Douglas Barbin
May 13th, 2021
Yesterday, on May 12th, President Biden issued the “Executive Order (EO) on Improving the Nation’s Cybersecurity.” Given that the Order features 11 sections that include both policy and general provisions among others, its 8,080 words is arguably the equivalent of multiple EOs. Such an effort is, no doubt, purposeful by the President—this is significant, and will certainly impact the security worlds of both the government itself and those companies that provide it with software and services.
FedRAMP | Penetration Testing | Federal Assessments
By:
KENT BLACKWELL
July 8th, 2019
Though Amazon’s Relational Database Services (RDS) can make hosting a database much easier, using them can also present new challenges, including some that crop up when you’re trying to scan against security benchmarks or meet compliance initiatives.
By:
MATT WILGUS
March 14th, 2018
Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate (ATO), as FedRAMP requirements expect cloud service providers (CSPs) to have a mature vulnerability management program. A CSP needs to have the right people, processes and technologies in place, and must successfully demonstrate maturity for all three. CSPs that have an easier time with the vulnerability scanning requirements follow a similar approach, which can be best articulated by breaking down the expectations into three stages.
By:
JORDAN HICKS
October 3rd, 2016
When two alpinists approach the same rock wall, they may both have the goal of reaching the summit, but the process they take to get there likely diverges greatly. Maybe one hikes up the backside while the other opts to climb the rock face directly—it likely depends on their individual skills, their gear, etc.
Cloud Computing | FedRAMP | Federal Assessments
By:
MATT WILGUS
May 25th, 2016
Many cloud service providers (CSPs) are not fully addressing the database scanning requirements for FedRAMP and have questions related to database security and FedRAMP. This article details the issues associated with not meeting the database scanning requirement, the most common reasons why this occurs, what can be done to improve this and what to consider with database security beyond scanning.
FedRAMP | Payment Card Assessments | Federal Assessments
By:
MATT WILGUS
July 9th, 2015
Overview In the last 30 days, the FedRAMP Program Management Office (PMO) has published guidance for both vulnerability scanning and penetration testing. The updated guidance comes on the heels of PCI mandating the enhanced penetration testing requirements within its requirement 11.3 as part of the 3.0, now 3.1, version of the DSS. These augmented PCI requirements, introduced in the fall of 2013, took effect on June 30th. For many cloud service providers this means the requirements for vulnerability scanning and penetration testing are more thorough and will require additional resources for planning, executing and remediating findings. This article will walk through the updates and discuss the differentiation between FedRAMP and the PCI Data Security Standard (DSS).