How are you all handling OS upgrades and Significant Changes? Reading through the NIST 800-37 it states that OS upgrades are likely a trigger for a SCR. However, it then states that the org Security Impact Assessment should determine this change to be significant or not. If we are following STIG/SRG configuration requirements, I don't see how upgrading AL2 to AL2023, as an example, would require an SCR. Under RMF and previous DoD C&A framework we re-evaluated every OS upgrade, but that was because OS upgrades rarely happened.

I am planning on bringing this up with our 3PAO, but curious what others are doing around this.

Rubrik is looking for a Sr. SRE FedRAMP - The Site Reliability Engineering team at Rubrik ensures reliability, availability and performance of our cutting-edge infrastructure services.

https://www.rubrik.com/company/careers/departments/job.5896840?gh_jid=5896840

Hi, I have been in the software business for 25 year and recently ran across a solution that can deliver non-FedRAMP approved SaaS solutions to Federal Government customers, without the SaaS solution having to spend the time and money getting FedRAMP approved. If you are interested in learning more, let me know.

This solution is already deployed in Production in these environments. It is also easy to demo and prove. We also have high level sponsors.

I know, hard to believe, but we are doing it today and can save softwares vendors a lot of money, while getting access to these contracts and opportunities.

Mike

I know that the FedRAMP moderate baseline based on rev 4 of 800-53 has selected 325 controls. But when I look at different spreadsheets for rev 5, I get either 304 or 323. Which is it? And why the difference? Thank you in advance!

IT newbie here so don't hesistate to ask for clarification.

It appears that they rolled this out a while ago and have a few companies listed as - they bring with this the promise of fast tracking not only to FR High but to IL5&6.

Too good to be true or real magic?

This was emailed out so everyone on the FedRAMP email list should have gotten it at the end of April. The template was due for submission on May 10th.

Just wondering how companies involved with FedRAMP are handling this memo and the new template. Has anyone had an Agency sponsor/partner give good guidance on whether or not they need it filled out? My interpretation is that everyone has to fill it out?

After reviewing the SAP/SAR I was wondering to myself if 3PAOs have the skillset to do the pentesting side of the assessment.

In my past jobs we used vulnerability scanning tools to identify issues and automated tools to remedy (or manually if need be).

Do 3PAOs use pentesting companies to test, remediate and write the reports or do most have the skillset to do this?

Also, what tools are commonly used during this process?

I would imagine open source tools like kali (nmap, burp, msploit etc...) would not be authorized and there would be a defacto toolset that has been appropriately vetted for federal systems.

Any guidance would be very helpful, thanks in advance!

After reviewing the SAP/SAR workbook I noticed the FedRAMP methodology bundles NIST 800-53(a) granularity into larger single scope sections. Which in turn makes it less likely an organization will pass the control, even partially.

Any reasoning behind this?

Example: theoretical...

Control in NIST AC-1.a[1]....[2]....[3] all separate granularity auditing sections.

Control in FedRAMP AC-1.a[1,2,3] one single audit section.

Retired military and former ISSO and have a few questions. I'm relatively new to Fedramp but am very versed in 800- series for RMF and CMMC/CUI systems.

I love the way Fedramp makes use of inheritance/reciprocity and think I would like to get in on the auditing side.

1. Would I be competitive for 3PAO roles with only DoD experience? Only hold CISSP now.

2. Would not having clearances hurt my chances? (expired)

3. Is there any training for 3PAO's other than what's on the Fedramp site?

4. Do 3PAO's do most of the auditing/assessment from the -53(a)?

Can a FedRamp authorized product use a non-FedRamp authorized vendor SaaS service with APIs for integration and still maintain its authorized status?

Hi guys,

As the title suggests, I have been looking into getting FedRAMP clients for my company for a while now and stumbled upon this page (thank you all for sharing).

I wanted to know can a Canadian firm get 3PAO certified? If so, is the process same as the American buisnesses?

Thank you all in advance!

Hi all, can anyone recommend a FedRAMP authorized API gateway? AWS Gov has one, but I'm looking for options from experienced practitioners, thanks!

Does anyone have a standard SOW that can be used for FedRAMP customers that they can share ? We’re going to begin selling our SaaS on the marketplace and are looking to build out a standard SOW, with FedRAMP language and considerations, but would like to know what others are doing.

Hello. We had a client spring on us at the last second prior to launching their new website that since they are a government contractor they must abide by FedRAMP. Im not a lawyer (obviously). So I did some digging and it seems fedRAMP only applies to cloud hosting.

So my first suggestion was can't we just launch on a Dedicated (bare metal) server? Then fedRAMP would not apply to their website. They came back with this:

As a defense contractor, we are required to use FedRamp-authorized cloud service providers for storing, processing, or hosting any CUI/CTI

Which still doesn't make sense to me if their website isn't on the cloud, why would cloud regulations apply to it? Is there a requirement to use cloud infrastructure? Also, the website essentially just has a contact form where visitors can submit a business inquiry, and a few landing pages with lead generation forms. Would anything submitted on those be considered CUI/CTI at that point?

Sorry if these are dumb questions and thank you for the help. IF you have any insight or recommendations I very much appreciate them.

​

I’m not aware or Gemini or any other AI tools being fedRAMPed, and don’t see it on marketplace

Is it fedRAMPed at all ? Or is there any security documentation/compliance that can be used for organizational use ?

So we are a small company that has these crazy FedRAMP MBL requirements for our IaaS and SaaS. This compliance program is not available in our region though.

What is the process for a situation like ours? Do I ask for an exception? Is there an equivalent for our region? It's just me and future scalability and planning is key here.

This is really for third-party assessment organizations, but anybody can pipe in.

What quality management system do you use?

What do you like about it? What don’t you like?

Thanks!!!

I’m very new to the process and it does seem daunting. I’m here to learn about the process, the tricky things, the boring things, time, investment, etc. On that note, would appreciate folks here sharing their experiences regarding the process. Some questions to hit on that will be helpful to me are : 1. Major problems or steps I should start preparing in advance for 2. Cases where adjusting or making changes to the product is too hard, how did you go about it? 3. What are some of the bureaucratic steps I should be ready for? Any personal experiences will be helpful! 4. What are the major rule type elements e.g., NIST ?

Has anyone found a tool that helps generate the ABD for a system on Azure? The struggle is real to build the diagrams by hand. thanks

So, we are a small company (<20 full time, plus a few contractors for software development, but we have clients all over the country that operate at various state and federal levels. A few clients have started asking about StateRAMP, but i don't really want to go that route, since we also work with government clients from time to time.

​

What is the process like for a single person (hi, its me) who is going to be overseeing pushing our software through the Li-SaaS baseline? Where do I start? I'm currently working on getting us CSA qualified, and i've already told the C-team that eventually we are going to have to pay for external audits and this will require ongoing support, so I'm undoing a lot of bad practices and want us to move forward the right way.

Am i wrong for thinking that I can handle the process of getting us started? I won't be doing the development, i'm just going to handle assessments and policy.

​

​

Thanks for any feedback!

Anyone know what I am referring to and want to discuss?

Hi,We're working on our FedRAMP Auth Boundary and having a hard time figuring out how our secrets manager fits in. We use a 3rd party, non-FedRAMP SaaS and we use it for passwords/secrets that we use to access clients site (which may or may not contain Federal data)

We believe the secrets manager contains no Federal data or Metadata, however it could impact the CIA of Federal Data/Metadata.

To be clear, I feel that this tool falls squarely in our Auth Boundary and hence we should move to a FedRAMP tool (Keeper) or self host in-boundary, but we can't reach a consensus here.

To second that question, would it be fair to say that any lines that cross our defined auth boundary e.g. between our Gov and Commercial hosting accounts should be severed where possible (i.e. by moving services into the boundary even if we're not 100% sure that it will handle Federal data/metadata? Or I guess we face scrutiny on exactly what that cross-boundary line is...

Thank you for helping navigate this minefield!