Cybersecurity Compliance | FedRAMP | NIST 800-53
Compliance is painful. There’s no way around it. But with years of experience in cybersecurity, a good handle on NIST 800-53+ (Rev. 5), and a feather in the cap called building a JAB-authorized FedRAMP program from the ground up - Bluphrog can help you navigate the hundreds of controls and pages of documentation, as well as establish the management and operational construct you will need to mature your cybersecurity program and successfully get through your Third Party Assessment.
Do You Need FedRAMP?
Any cloud service provider, including those with IaaS, PaaS and SaaS offerings wanting to serve US Government agency customers must achieve a FedRAMP Authorization to Operate (ATO).
Systems are required to adhere to the FedRAMP baseline controls that align with the system’s data sensitivity as determined by FIPS 199 data sensitivity criteria. The majority of SaaS solutions on the market process and store data at the FedRAMP moderate baseline level - which means becoming compliant with the FedRAMP program’s interpretation of 323 NIST 800-53 controls across 18 control families.
While approximately 1/3 of required controls are satisfied by technology implementations (using the right tools and technologies with appropriate configurations), a whopping 2/3 involve some amount of management and operational implementations - not to mention moving through all of the processes and milestones associated with a FedRAMP journey.
You will need more than a savvy engineering team to design, build, and operate a FedRAMP compliance program.
If It’s Worth Doing, It’s Worth Doing Right
Bluphrog has built many programs, including a FedRAMP compliance program that resulted in a JAB-authorized P-ATO. See below for a number of benefits of working with Bluphrog as you develop or support your compliance program:
-
Program Management Office (PMO)
Building & Running a Compliance PMO
The best approach to manage a compliance program is through a Program Management Office (PMO). Bluphrog can design and stand up the PMO, and build the standards, checklists, meeting cadences, reporting hierarchies, and procedures required to implement a mature cybersecurity compliance operation. (See Program Implementation Guide Overview and Description Below)
-
Documentation
Building & Maintaining Documentation
Bluphrog can guide the generation of the System Security Plan (SSP) and 19 additional Appendices including 36 policies/procedures. With or without OSCAL and documentation automation technologies, there remains a significant amount of work that must be done by people. Bluphrog is one of those people. (See the Example User Manual below.)
-
Compliance Product Management
Managing a Roadmap and Backlog for a Compliant Cloud Offering
It shouldn’t surprise anyone that managing a cloud offering with a highly regulated FedRAMP ATO isn’t the same as managing a commercial product. In addition to the normal features and capabilities aimed at end users, there must be equal effort put into defining and prioritizing work associated with current and future compliance requirements and regulations. Bluphrog is on it!
-
Change Management | Change Control
Guiding the Unique Challenge of Change Management in Regulated Environments
One of the biggest culture shifts for today’s devops teams, used to highly agile decision making and continuous delivery into production environments - is that FedRAMP environments must comply with some heavy-handed change management processes. Every change must be implemented in a highly accountable and transparent manner, with signifcant changes (like full dot release OS upgrades) also requiring government approval and sometimes assessment by a 3PAO before being implemented. It’s best to not try to tackle this without someone with hands-on experience! (See Infographic Below.)
-
Training
Developing and Delivering Training
Training is important both to the FedRAMP program and to the broader cybersecurity community. Mature cybersecurity operations invest in training that goes well beyond the minimum required by the AT NIST control family. With strong education and cognitive rehab background experience, Bluphrog is a forever champion of continuous learning - and recently established a “Cybersecurity and Compliance Academy” - a training program within a FedRAMP program to embrace continuous learning by defining a prioritized list of topics, and scheduling both planned and as-needed brown bag sessions.