Access World-Class NIST RMF Documentation with ASP Learn More
We are Arlington, A team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry.
From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Our professionals are seasoned veterans in the DoD sector, men and women who’ve walked the halls of the Pentagon and many other agencies within America’s intelligence apparatus.
About Us
WHO WE ARE
The Federal Risk & Authorization Management Program
INTRODUCTION TO
The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.
In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information.
As of 2022, there are three (3) listing designations - FedRAMP Ready, In Process, and Authorized.
-
FedRAMP Ready indicates that a Third-Party Assessment Organization (3PAO) has attested to a CSP’s readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP Program Management Office (PMO).
-
In Process is a designation provided to CSPs that are actively working toward a FedRAMP Authorization with either the Joint Authorization Board (JAB) or a federal agency.
-
The Authorized designation is provided to CSPs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency.
Overview of FedRAMP Authorization Process
There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.
01. Preparation Phase - Readiness Assessment: In the Readiness Assessment step, a CSP may elect to pursue the FedRAMP Ready designation, which is optional for the Agency Authorization process, though highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third-Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements.
02. Preparation - Pre-Authorization: During the Pre-Authorization step, a CSP formalizes its partnership with an agency via the requirements outlined in FedRAMP Marketplace: Designations for Cloud Service Providers. A CSP also prepares themselves to undergo the comprehensive and in-depth authorization process. They make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.
By this stage, a CSP should:
-
Have a system that is fully built and functional.
-
Have a leadership team that is committed and fully on board with the FedRAMP process.
-
Engage with FedRAMP through the intake process by completing a CSP Information Form.
-
Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template.
The final step in Pre-Authorization is to prepare for and conduct a Kickoff Meeting in which a CSP and agency will discuss:
-
The background and functionality of the cloud service.
-
The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities.
-
Customer responsible controls that must be implemented and tested by the Agency.
-
Compliance gaps and remediation plans.
-
A work breakdown structure, milestones, and next steps.
03. Authorization - Full Security Assessment: During the Full Security Assessment step, the 3PAO performs an independent audit of the system. Prior to this step, a CSP should ensure that their System Security Plan (SSP) is complete and has been reviewed and approved by the agency customer. Additionally, the Security Assessment Plan (SAP) should be developed by a CSP’s 3PAO with their authorizing agency’s input.
During this step, the 3PAO tests the CSP’s system, and at the conclusion of testing, the 3PAO develops a Security Assessment Report (SAR) which details their findings from testing and includes a recommendation for FedRAMP Authorization. Finally, the CSP will then develop a Plan of Action and Milestones (POA&M) based on the SAR findings, and include input from the 3PAO, which outlines a plan for addressing the findings from testing.
04. Authorization - Agency Authorization Process: The next step is the Agency Authorization Process. During this step, the agency conducts a security authorization package review, which may include a SAR debrief with the FedRAMP PMO. Depending on the results of the agency’s review, CSP remediation may be required. Additionally, the agency will implement, test, and document customer responsible controls during this phase. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:
-
The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with exception of the security assessment material, to FedRAMP’s secure repository.
-
The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.
The FedRAMP PMO performs a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized status and the date of authorization.
05. Continuous Monitoring - Post Authorization: During the continuous monitoring phase, the CSP is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Further detail can be found in the Continuous Monitoring Strategy Guide [PDF - 1.1MB].
Each agency using the service reviews the monthly and annual continuous monitoring deliverables. CSPs use the FedRAMP secure repository for posting monthly continuous monitoring material for ease of access and sharing with agency representatives.
FedRAMP Services
Arlington specializes in providing top-tier FedRAMP advisory services that cater to the unique needs of Cloud Service Providers (CSPs) seeking compliance with the Federal Risk and Authorization Management Program (FedRAMP). Our expertise lies in conducting comprehensive FedRAMP pre-audit measures, such as Scoping & Gap Assessments, a critical first step in achieving FedRAMP compliance.
In our commitment to ensuring the success of our clients, we begin by properly scoping the FedRAMP compliance process for a CSP. Our team of seasoned professionals works closely with your organization to identify the scope of your cloud system, ensuring that all relevant components are included and that nothing is overlooked. To be clear, scoping allows us to create a tailored roadmap for FedRAMP compliance that is both efficient and cost-effective.
Once the scope is established, we’ll conduct a thorough gap assessment against the prescribed NIST 800-53 controls for LOW, MOD, or HIGH for identifying areas where your organization falls short of the actual FedRAMP reporting requirements. Our experts identify vulnerabilities, weaknesses, and areas of non-compliance within your current set of NIST 800-53 controls. This comprehensive assessment serves as a crucial foundation for developing a customized action plan, helping your organization prioritize and address these gaps systematically.
Our commitment to delivering top-notch advisory services ensures that your organization is well-prepared to embark on its journey toward FedRAMP compliance, with a clear understanding of the steps needed to reach the desired level of security and assurance.
At Arlington, we offer comprehensive remediation support services because our team of experts understands that achieving FedRAMP compliance is not just about identifying gaps but also about addressing them and remediating them effectively. Specifically, we provide tailored solutions, such as writing policies and procedures based on NIST 800-53 guidelines. Our experts work closely with CSPs to create robust policies and procedures that align with the rigorous security standards mandated by FedRAMP, ensuring that your systems are not only compliant, but also secure and resilient.
Additionally, we assist in the actual implementation of security and technical tools that bolster your organization's cybersecurity posture. From two-factor authentication to File Integrity Monitoring - just to name a few must-have solutions - we understand that a strong technical foundation is essential for FedRAMP compliance. Our team leverages their extensive experience to recommend and implement only approved security technologies and tools that align with your specific needs and regulatory requirements. Ultimately, this ensures that your systems are equipped to defend against evolving threats while maintaining compliance with FedRAMP standards.
Moreover, Arlington recognizes the significance of addressing insider threats, incident response, and contingency planning within the context of FedRAMP compliance. We develop insider threat programs that help you proactively identify and mitigate internal risks, ensuring that sensitive data and systems remain secure. Our incident response and contingency planning services enable you to prepare for and respond effectively to security incidents or unforeseen disruptions, reducing potential risks and minimizing downtime. With Arlington's comprehensive remediation support, we’ll help ensure that your organization is well-prepared to navigate the complex landscape of cybersecurity and data protection, and ultimately, earn FedRAMP accreditation.
Highly Tailored FedRAMP Policies, Procedures, Programs & Plans
Arlington, as a leading firm specializing in crafting NIST 800-53 documentation for Cloud Service Providers (CSPs) seeking FedRAMP certification, has established a distinguished reputation for its expertise in developing industry-leading FedRAMP documentation. Our team possesses an in-depth understanding of the intricate requirements and intricacies of the Federal Risk and Authorization Management Program (FedRAMP) and its alignment with NIST Special Publication 800-53. With a track record of successful certifications, we are well-versed in translating complex security controls and standards into comprehensive and tailored documentation that facilitates a seamless path to FedRAMP compliance for our clients.
One of Arlington's core strengths lies in our ability to design, implement, and document robust insider threat programs, ensuring that our clients' security posture is equipped to address internal threats effectively. We understand that safeguarding against insider threats is a critical aspect of FedRAMP compliance, and our documentation reflects this commitment to comprehensive security. Moreover, our incident response programs are meticulously crafted to provide a clear, step-by-step framework for identifying, mitigating, and recovering from security incidents promptly. In alignment with NIST guidelines, our documentation emphasizes the importance of incident detection and rapid response, thereby fortifying our clients' resilience against potential breaches.
Arlington also places a strong emphasis on contingency planning programs, recognizing their significance in maintaining service availability in the face of unexpected disruptions. Our documentation outlines detailed strategies for data backup, recovery, and continuity of operations, ensuring that our clients are well-prepared to address contingencies while remaining compliant with FedRAMP requirements. Furthermore, our expertise extends to tabletop exercises, which we incorporate into our documentation to simulate and assess our clients' readiness for security incidents and data breaches.
These exercises serve as valuable training tools, allowing organizations to test their incident response plans in a controlled environment, identify areas for improvement, and ultimately enhance their overall security posture. As a result, Arlington's tailored FedRAMP documentation not only meets regulatory requirements but also reflects our commitment to strengthening the cybersecurity defenses of our clients within the ever-evolving landscape of cloud security and compliance.
At Arlington, we understand that writing a comprehensive System Security Plan (SSP) is one of the most grueling and time-consuming aspects of the entire FedRAMP compliance process. Our firm is dedicated to simplifying this critical step for our clients, providing SSP writing services that not only alleviate the burden but also ensure that your organization's security controls and practices are correctly documented and aligned with FedRAMP requirements.
Writing an SSP requires a deep understanding of the intricate FedRAMP framework, as well as the ability to translate complex technical and security concepts into a clear and coherent document. Our team of experts possesses extensive knowledge of FedRAMP guidelines and regulations, and they work closely with your organization to gather all the necessary information and documentation. We streamline the SSP development process by leveraging our experience and best practices, ensuring that every security control, risk assessment, and security policy is accurately represented within the SSP itself. By entrusting Arlington with your SSP writing needs, you can save valuable time and resources while maintaining the highest standards of compliance.
Our SSP writing services not only expedite the process but also enhance the quality and accuracy of your SSP, a foundational document that is crucial for achieving and maintaining FedRAMP compliance. Arlington's dedicated approach to this challenging task ensures that your organization's security posture is well-documented, and all necessary controls and measures are clearly articulated, ultimately facilitating a smoother and more successful FedRAMP certification process.
Want to find the best possible 3PAO FedRAMP assessor, at the best price, that’s truly the best fit for your organization? Then consider Arlington’s 3PAO RFP services. Picking the wrong assessor can cost you an incredible amount of time and money, and potential delays in – or even worse – failing to earn Authorization to Operate (ATO) designation.
Arlington has taken the position of NOT becoming a 3PAO FedRAMP assessor for the very fact that we can provide much more meaningful value to our clients throughout the entire FedRAMP process in an advisory role. From FedRAMP scoping & gap assessments to policy and procedures writing, along with System Security Plan (SSP) development, project management – and more – it’s important to stay independent of the services performed by a 3PAO.
What we offer in terms of 3PAO services is developing well-written Request for Proposal (RFP) services whereby we actively solicit assessors for bids, then take the time to interview all assessors, and ultimately, hand select the best 3PAO based on your selected criteria (i.e., pricing, timing, referrals, etc.).
Picking the wrong 3PAO FedRAMP assessor can be a disaster, this we know from unfortunate events that have played out in the marketplace for Cloud Service Providers (CSPs). And this is a primary reason Arlington decided to move forward with 3PAO RFP services.
We provide extensive, industry leading advisory and consulting services for Cloud Service Providers (CSPs) in getting their organization ready to successfully achieve FedRAMP certification. From performing gap assessments to developing security policies and procedures, drafting System Security Plans (SSPs), undertaking tabletop exercises - and much more - we are one of the very few firms in North America specifically dedicated to such solutions.
Because of this, and to maintain our independence, we have opted to not become a 3PAO, rather, we work side-by-side with 3PAO’s in getting their clients ready for FedRAMP. The upfront, heavy lifting is often much more time-consuming than the actual FedRAMP certification process.
From Beginning to End, Complete Project Management for FedRAMP
With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.
Core services & solutions offered include the following:
-
RFP Services
-
Scoping & Gap (i.e., Readiness) Assessments
-
Remediation Services
-
Managing the official Security Assessment Audit
Visit arlingtonintel.com to learn more.
