With the rise in cybersecurity attacks comes wariness from customers — no one wants to work with an organization that has an increased risk of falling victim to an attack. And when it comes to the Federal government, that rings especially true. 

The Federal government has put measures into place to help mitigate risk when working with partner organizations. In fact, these organizations are required to maintain certain cybersecurity standards and authorizations in order to do business with the Federal government.  

One of those requirements is the Federal Risk and Authorization Management Program, also known as FedRAMP. In this post, we’ll provide you with everything you need to know about the FedRAMP authorization process.   

What is FedRAMP?  

With cyberattacks and cloud-based technologies on the rise, federal departments and agencies needed a cost-efficient and risk-based approach to cloud adoption.  

This led to the creation of the Federal Risk and Authorization Management Program (FedRAMP) in 2011. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services used by federal entities that store, process, and transmit federal information.  

What is the goal of FedRAMP? 

As a government cybersecurity framework, the goal is to accelerate the adoption of secure cloud solutions through the use of assessments and authorizations. For organizations that achieve FedRAMP authorization, it’s a powerful validation of the security of the organization’s cloud solution.    

Why is FedRAMP important?  

FedRAMP increases confidence in the security of cloud solutions through continuous monitoring and consistent use of best information security practices and procedures. This streamlined, regulated approach helps mitigate the risk of cyberattacks.  

Who needs FedRAMP Authorization?  

Federal agencies that host their technology in the cloud are required to use a FedRAMP certified Cloud Service Provider (CSP). If you are looking to do business with the government and host federal systems, then FedRAMP applies to your environment, and you will need authorization.  

What are the key benefits of FedRAMP Authorization? 

Becoming authorized offers CSPs many benefits, including: 

• Improved real-time security visibility 
• A uniform approach to risk-based management 
• Significant savings on cost, time and resources by de-duplicating efforts related to meeting federal cybersecurity requirements 
• Increased re-use of existing security assessments across agencies  
• Enhanced transparency between government and CSPs  
• Improved trustworthiness, reliability, consistency and quality of the Federal security authorization process  

Does FedRAMP apply to global organizations? 

Yes. Many global organizations are seeking to secure new business deals to strengthen their customer base. If international businesses want to sell a cloud service offering to the U.S. government, they should pursue FedRAMP authorized status.  

Why is FedRAMP Certification valuable to cloud service providers (CSPs)? 

Federal cloud spending has seen a rise in recent years. In fact, analysis from Deltek found that federal cloud spending reached nearly $11 billion in FY 2021, up more than 40% from the $7.6 billion spent in 2019. CSPs looking to capitalize on this trend should seek to achieve FedRAMP Authorized status.   

FedRAMP can also be reused to sell to multiple agencies. In fact, if you already have authorization, it can simplify the certification process for other federal and defense programs, like the DoD’s Cloud Computing Security Requirements Guide (CC SRG)   

Who can perform a FedRAMP assessment?  

Only accredited FedRAMP Third Party Assessment Organizations (3PAO) may perform FedRAMP assessments. 

How do I get FedRAMP certified? 

FedRAMP is an integrative standardized assessment designed to be a common one-stop-shop for CSPs seeking to do business with the U.S. government.  

There are two paths CSPs can take to achieve authorization:  

1. Through an agency sponsorship when a government entity vouches for a CSP, streamlining their approval process.   

2. Through the Joint Authorization Board (JAB). The JAB is the primary governance and decision-making body for FedRAMP.   

Although organizations are able to choose which process they’d prefer to take, most organizations choose to achieve certification via agency sponsorship. This is because the JAB path is very competitive as they only select 12 systems per year (specifically, three per quarter).    

What is JAB P-ATO Status?  

The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO).   

The JAB Authorization process involves:   

1. An evaluation via FedRAMP Connect  

2. Completing a FedRAMP Ready assessment  

3. Completing a full-security assessment  

4. Achieving authorization via the JAB  

5. Continuous monitoring post-authorization  

What is Agency ATO Status?  

In the Agency Authorization path, agencies may work directly with a CSP for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP Certification process.   

The Agency Authorization process involves:   

1. An optional, yet highly recommended, FedRAMP Ready assessment  

2. Pre-authorization  

3. Achieving agency authorization   

4. Continuous monitoring post-authorization   

What are the key processes involved with a FedRAMP Assessment and Authorization?   

Regardless of which method (agency sponsorship vs. JAB) you choose, the authorization process always involves:   

1. A Preparation Phase, where the provider completes a System Security Plan (SSP). After this, a FedRAMP-approved third-party assessment organization (3PAO) will develop a Security Assessment Plan.  

2. A Full Security Assessment, where the assessment organization submits a Security Assessment report and the provider creates a Plan of Action & Milestones PoAM). The security assessment involves evaluating a company’s policies and procedures against a set of requirements from the NIST 800-53 controls to test security authorizations. Once granted, continuous assessment and authorization guidelines must be in place to uphold authorization.  

3. Authorization, where the JAB/authorizing agency determines whether the risk as described is acceptable. If confirmed, they submit an ATO letter to the FedRAMP project management office. The provider is then listed in the FedRAMP Marketplace.  

4. Continuous Monitoring, where the provider sends monthly security monitoring deliverables to each organization using the service.  

  

What’s the timeline of a FedRAMP Assessment? 

Step 0: It’s recommended you complete a gap assessment to address any holes in your environment. This ensures a CSP is ready for the FedRAMP authorization assessment to be submitted for FedRAMP Authorized status.  

Step 1. Pre-Assessment Review (1-4 Weeks)  

Step 2. Planning Activities (4 Weeks)  

Step 3. Assessment Activities (7 weeks)  

Step 4. Reporting Activities (5 weeks)  

Step 5. Sponsor Issues Authority to Operate (2-3 weeks)  and listed in the FedRAMP Marketplace

Step 6. Maintain Authorization  

How long is FedRAMP valid? 

A FedRAMP Ready designation is only valid on the Marketplace for twelve months. 

What are the impact levels of FedRAMP compliance? 

Low Impact SaaS (FedRAMP Tailored or Ll-SaaS): Ll-SaaS is a subset of low impact and typically includes 50+ of the controls to be independently assessed. This baseline accounts for SaaS apps that do not store personal identifiable information beyond basic log-in information, like usernames and passwords. Organizations that achieve the LI-SaaS level would experience minor adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here.  

Low Impact Level: Low includes about 125 controls. Organizations that achieve the low authorization status would experience limited adverse effects if a loss of confidential information occur.

Moderate Impact Level: Moderate includes about 325 controls and the vast majority of organizations fall into this category. The loss of confidential information in this category would have a serious impact on an organization.

High Impact Level: High includes approximately 425 cybersecurity controls and mainly includes organizations that work in law enforcement and emergency services systems, financial systems, and health systems. Organizations should especially pursue High impact if any loss of confidential information could be expected to have a catastrophic impact.

Please note, the number of controls for each impact level are currently based on NIST 800-53 revision 4 and will change with the transition to revision 5. The transition plan and associated templates and guidance is expected to release by end of 2022. 

For more information about the security controls required for each designation, click here.

FedRAMP vs. FISMA/NIST RMF 

Prior to FedRAMP, the U.S. government introduced the Federal Information Security Modernization Act of 2014, or FISMA. 

FISMA is the law directing government agencies to develop and maintain an information security program. FedRAMP is a cloud-specific implementation of NIST RMF. Even though FISMA and FedRAMP use the same standard, utilizing the same controls set within NIST 800-53, the two have different authorization processes.   

In order to bring together all of the FISMA-related security standards, NIST created the Risk Management Framework. Whereas FISMA establishes the requirements of an agency’s cybersecurity program, RMF helps determine how that program should review, assess, and approve IT systems for use.     

What’s the difference between FedRAMP and StateRAMP? 

StateRAMP can be thought of as FedRAMP compliance for state and local governments, and it has a Security Assessment Framework that is based on the National Institute of Standards and Technology Risk Management Framework (NIST RMF).   

StateRAMP offers a fast track to authorization for current FedRAMP authorized services.  

Is continuous monitoring needed for FedRAMP? 

Yes. Monthly updates (scans and POA&Ms) to the Agency Sponsor or JAB (based on authorization pathway) are important to ensure your organization has maintained compliance with FedRAMP. Annual assessments that include penetration testing, select control assessment, system scanning, and more are critical to your continued compliance standing.  

If your organization has experienced any significant changes that will impact your compliance standing, you’ll need your agency or JAB to review and assess through a Significant Change Request Assessment. 

What are FedRAMP key terms? 

Check out our FedRAMP compliance glossary of terms to learn the definitions for Third Party Assessment Organizations (3PAO), authority to operate (ATO), cloud service provider (CSP), Federal Information Security Modernization Act (FISMA), joint authorization board (JAB), National Institute of Standards and Technology (NIST) and more.  

What are the common challenges of FedRAMP authorization?  

• CSPs Might Not Know Authorization Is a Detailed Process: FedRAMP security standards are more prescriptive than general security assessment and requires granular detail.  
• CSPs Might Overlook the Benefits of Control Inheritance: Inheriting as many security controls as possible from your CSP organization’s underlying FedRAMP authorized infrastructure provider will save time and resources. 
• Organizations Underestimate the Power of Automation: Compliance automation software can help automate and streamline your authorization process. 

What’s new with FedRAMP?  

The FedRAMP Rev 5 Baselines: The final Rev 5 baselines and transition plan to Rev 5 are expected in early 2023. The biggest difference between the Rev 4 and Rev 5 baselines is that FedRAMP has introduced a threat-based methodology to determine which controls should be added on to the established NIST 800-53 Rev 5 baselines.  

The Updated Readiness Assessment Report (RAR): A RAR is what CSPs use to determine if they are ready to undergo the extensive FedRAMP certification process. In a thorough 19-page document, FedRAMP provided updated guidance as well as  templates for 3PAOs evaluating CSPs for readiness.  

Helpful FedRAMP Resources 

Beginning the Authorization Process   

FedRAMP can help organizations win more business and stand out from their competition, but the approval process is detailed.   

As a CSP, you must implement the appropriate controls before you can begin the FedRAMP certification process. Whether you seek authorization via an agency or through the JAB, it is important to ensure you have a trusted resource to help guide you through the process.   

A-LIGN is a top accredited FedRAMP 3PAO, having helped organizations worldwide achieve full authorization.   

If you are a CSP currently providing, or seeking to provide, services to federal agencies, speak to an expert at A-LIGN about the FedRAMP authorization process.  

At a time when cyber-attacks are occurring at unprecedented rates, maintaining information security is paramount. Organizations can demonstrate their commitment to data security by undergoing a SOC 2 audit, which assesses the controls designed to protect an organization’s system or services. There are two types of SOC 2 audits: Type 1 and Type 2. Many organizations elect to start with a Type 1 audit, and later move to a Type 2.  

In this article, we explore the two types of SOC 2 audits, the process of moving from a SOC 2 Type 1 audit to a Type 2, and the value they each bring.  

SOC 2: Type 1 and Type 2 

Any SOC 2 audit will evaluate your internal security management system based on one or more of the following five categories: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. The difference between a Type 1 and Type 2 audit is largely (but not entirely) based on time. 

• Type 1: This assessment evaluates the design of internal security controls at a single point in time – perhaps on a specific date: February 1.  
• Type 2: This assessment evaluates the design and effectiveness of internal security controls over a duration of time – perhaps a 12-month period starting on February 1.   

A Type 2 audit is more comprehensive because it seeks to examine not just the design of security controls, but how the controls work on a daily basis. A Type 2 report is more robust than a Type 1 report as it covers a span of time and tests an array of samples across the different high-risk areas.  

So why might an organization that has undergone a Type 1 decide later to undergo a Type 2?  

The Process of Moving from a SOC 2 Type 1 to a Type 2 

Even if your organization previously completed a Type 1 audit, you should expect to invest additional time and resources into the process of completing a SOC 2 Type 2. The biggest difference in moving to a Type 2 is the quantity of sample evidence that is requested, as a Type 1 report only looks at one sample.  

The first step in the SOC 2 Type 2 audit process is to determine the length of the review period. Type 2 audits typically cover a one-year period, but can vary based on contractual requirements between an organization and its clients. Once the review period has been determined, the organization and its auditor will have walkthrough meetings (similar to a Type 1 audit) to understand the security processes and procedures that have been put in place.  

Each auditing firm has a sampling methodology that is used and is driven by AICPA (American Institute of Certified Public Accountants) guidance. Expect your auditor to request multiple samples, and for them to review various population pulls within the designated time period. Samples might be pulled from an annual, quarterly, monthly, or daily basis, depending on the frequency and nature (manual vs automated) of the controls being tested. 

Moving from a Type 1 to a SOC 2 Type 2 

While a SOC 2 Type 1 audit signals to partners and clients (both current and prospective) that you take information security seriously, there are instances where it would be beneficial to pursue a Type 2. These include: 

• Contractual obligations – A customer might request that your company obtain a Type 2 report and might even define the length of the review period (six months, nine months, a year, etc.). 
• To develop rapport with clients – Business is built on trust and moving to a Type 2 helps give assurance to your clients that their information is in good hands.  
• To build brand recognition/competitive advantage – Undergoing a Type 2 audit is more time-intensive than a Type 1, and so completing the assessment demonstrates your company’s dedication to security. This can set your business apart from competitors.  

What is the Value of Moving from a SOC 2 Type 1 to a SOC 2 Type 2? 

While a SOC 2 Type 1 report confers benefits to organizations by demonstrating their commitment to information security, a SOC 2 Type 2 report has even greater value. This report shows that an organization has not only designed controls, but they were operating effectively through the determined review period. It can therefore be concluded that the organization is capable of maintaining information security.  

Value can also be gained through building an environment that is focused on streamlining regulatory compliance efforts. Organizations that only undergo a Type 1 audit are likely to maintain defined controls once a year. But when going through a Type 2 audit, the organization must monitor and maintain controls throughout the full year. This helps in streamlining and reinforcing policies and procedures among team members on an ongoing basis.  

Thinking about moving from a SOC 2 Type 1 to a Type 2? A-LIGN can help you navigate the process. We’re more than an auditor. We’re a partner that has completed over 5,000 SOC 2 reports and the top SOC 2 issuer in the world. Contact us to get started on your SOC 2 Type 2 journey.

This blog post is a recap of our Demystifying FedRAMP webinar, hosted alongside our partners at Anitian. View the full webinar recording here. 

FedRAMP (The Federal Risk Authorization Management Program) was established in 2011 as a way to accelerate the adoption of cloud solutions, and increase confidence in the security of those cloud solutions, across the Federal government. 

FedRAMP is an authorization program versus a certification program, meaning that businesses go through a rigorous security review process and are then granted an Authority to Operate (ATO) and listed in the FedRAMP Marketplace. The Marketplace is a comprehensive list of cloud products and services that are approved to work with federal agencies.

Prior to undergoing the FedRAMP authorization process, there are a few key things that organizations should keep in mind to prepare for FedRAMP success.

1. Executive Buy-in and Cooperation is Key 

Federal agencies spent nearly $11 billion on the cloud in FY 2021, which spells huge opportunities for cloud service providers. But the journey to FedRAMP authorization is long. It involves many evidence requests, as well as lots of writing-heavy work to document policies and procedures. Before undertaking all of this work, it’s essential to get executive buy-in on the importance of FedRAMP authorization. Which, despite the monetary opportunities present in the federal market, isn’t always easy. 

In our extensive experience helping organizations earn FedRAMP authorization, we’ve seen many expensive and time-consuming delays stem from misalignment over priorities within the overall corporate environment. This misalignment makes a long process even longer and will only cause your organization to miss out on opportunities to expand within the government sector. 

2. Consider Automated Solutions 

If management is hesitant to give buy-in on FedRAMP because of the numerous evidence requests and documentation requirements, consider a software solution that can automate and streamline tedious tasks and make the process significantly easier. 

Anitian’s SecureCloud for Compliance Automation platform and A-LIGN’s audit automation and compliance management software, A-SCEND, helps to streamline compliance process. SecureCloud automates the documentation process with template libraries and reference architectures, as well as track progress toward FedRAMP authorization to help teams stay on track. A-SCEND centralizes evidence collection, standardizes compliance requests across multiple security frameworks, consolidates audits, and more.  

With automated software solutions, organizations also benefit from a “enter once, populate everywhere” system, removing the need to upload the same documents and information to multiple places during the FedRAMP preparation and evidence gathering phase. This is hugely beneficial, as there are hundreds of pieces of evidence that must be reviewed in a typical FedRAMP authorization.   

Both tools are also auditor-assisted, with real humans who can answer any questions you have and help you use the tools to their full potential.  

3. Don’t Overlook the Benefits of Control Inheritance 

Control inheritance is extremely useful on the road to FedRAMP authorization. Essentially, control inheritance is when your business automatically inherits certain security controls from an underlying infrastructure provider that is already FedRAMP authorized. A great example would be hosting your product on top of AWS or Azure Government — both of which are already FedRAMP certified.  

If FedRAMP authorization is in your future, make sure to consider the benefits of control inheritance.  

Get Started With A-LIGN 

The experts at A-LIGN can assist you every step of the way toward FedRAMP authorization. We can help with implementing appropriate controls, completing a FedRAMP Readiness Assessment Report (RAR), and ensuring you meet FedRAMP requirements by using Federal Information Process Standard (FIPS) Models for low, moderate, or high-impact organizations. 

In 2021, we saw cyberattacks and ransomware increase with vengeance and 2022 has proven to be even more challenging.  

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs to gain a better understanding of their organization’s position when it comes to compliance, including strengths, weaknesses, and opportunities. 

Here’s how organizations across industries are responding to increased threats and best preparing.

Ransomware Is at an All-time High 

A third-party assessment firm like A-LIGN can help you discover where your cybersecurity posture currently stands. Our one-of-a-kind Ransomware Preparedness Assessment reviews your risk, security preparedness, and the strength of your existing controls, helping you determine if your planned response to a security event is acceptable. 

Zero trust is an idea that has been gaining traction in the world of cybersecurity over the past few years. It is a key component of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity (issued in May 2021) and it is a trend that Gartner has been tracking closely. The analyst firm predicts that spending on zero trust solutions will grow from $820 million this year to $1.674 billion by 2025. 

But what is zero trust? And, what makes it an effective solution to mitigate cybersecurity threats? Zero trust is an IT security model that focuses on restricting information access within an organization to only those who need it. The premise of zero trust is to assume that threat actors are present both inside and outside an organization — therefore no users or machines are trusted by default.  

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. Here’s what we learned about how organizations are thinking about zero trust strategies.  

Zero Trust Priorities Vary Between Industries 

While over half of our survey respondents (58%) agree or strongly agree that zero trust is a strategy they must implement in the next 12 months, 29% said they are not sure what they think about its level of importance.  

Priorities vary between industries, with IT services (68%), manufacturing (65%), and technology (64%) companies providing the highest amount of agree/strongly agree answers. On the other end of the spectrum, finance (49%) and professional services (47%) had the lowest amount of agree/strongly agree responses. 

It’s important to note that public sector organizations who hope to do business with the federal government — regardless of their industry — must prioritize zero trust as mandated by the EO previously mentioned. As we approach one full year since that EO has been in place, we’ll likely see more industries prioritize zero trust in the year to come. 

Larger Companies Are Quicker to Adopt Zero Trust 

Responses also varied by company size. Our survey found that 73% of organizations with $50M – $1B in annual revenue agree/strongly agree about the need to adopt a zero-trust security strategy. For companies with less than $5M in revenue, that percentage dropped significantly to 45%. These numbers indicate that larger companies believe they are a top target for cybersecurity attacks and are taking the initiative to plan ahead and protect systems and information.  

Other Cybersecurity Initiatives Remain Top of Mind 

Despite lower adoption of zero trust strategies among certain industries and smaller companies, many organizations across industries still noted they would complete other cybersecurity initiatives to mitigate threats. Vulnerability scans were the most popular initiative, noted as a priority by 52% of our survey respondents, followed by penetration tests (48%) and creating business continuity and disaster recovery (BCDR) plans (42%).  

Interestingly ISO 22301 certifications — a renowned standard for BCDR planning — were a particularly high priority for IT services organizations and manufacturing companies.  

A Strategic Approach to Implementing a Zero-Trust Architecture 

Implementing a zero-trust architecture within any organization can feel like a daunting feat without the right preparation. To make this process more manageable, the experts at A-LIGN recommend a step-by-step approach.  

Before you get started, it’s important to troubleshoot possible scenarios that may occur during the implementation process. From there, plan and implement zero trust in ‘zones’ throughout your organization’s infrastructure whenever possible. This strategy will allow you to keep key business operations up and running while mitigating the chance of downtime across too many areas of your business all at once.  

With federal cloud spending at an all-time high, the government sector has become a lucrative market for technology companies. Analysis from Deltek indicates that federal agencies spent nearly $11 billion on the cloud in FY 2021, up more than 40% from the $7.6 billion spent in 2019.  

Cloud service providers (CSPs), in particular, have a significant opportunity to capitalize on this meteoric rise in federal cloud adoption. However, in order to do business with the U.S. government, such companies must achieve Authorization to Operate (ATO) status under the Federal Risk and Authorization Management Program, also known as FedRAMP.  

In the article below, you will learn:

• Why the U.S. government is prioritizing cloud technologies  
• The current trajectory of federal cloud spending  
• How your business can use FedRAMP to capitalize on this trend  

The Cloud Smart Strategy (Formerly Cloud First Strategy)  

A 2017 Executive Order (EO), Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, was a major catalyst in accelerating the federal agency adoption of cloud-based solutions. It declared that agencies must “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.” 

As a result, the U.S. government officially updated its Federal Cloud Computing Strategy from “Cloud First” to “Cloud Smart” in June 2019. The Cloud First strategy was more conceptual in nature and left many implementation questions unanswered. Cloud Smart, on the other hand, was designed to provide practical guidance to help agencies enhance the speed, security, and cost savings of their IT programs. A significant amount of this guidance focuses on brokering business relationships with CSPs based on the value their cloud technology provides.   

More recently, the 2021 Executive Order on Improving the Nation’s Cybersecurity mandated that the head of each government agency “update existing agency plans to prioritize resources for the adoption and use of cloud technology.” This demonstrated that the U.S. Government remains dedicated to realizing the long-term mission of Cloud Smart.  

Record-high Spending Across the Federal Cloud Market  

Government agencies are currently experiencing broader, more intense pressure to adopt cloud-based solutions than ever before. But are they acting accordingly to fulfill the promise of Cloud Smart? 

If you look at federal cloud spending data from the past few years, the answer is a resounding “yes.” As mentioned above, agencies spent an impressive $11 billion in FY 2021, outpacing several different projections from mid-2021 by an order of magnitude and suggesting that the market is growing even faster than many anticipated.  

What’s more, the total value of cloud contracts awarded by federal agencies in FY 2021 was a staggering $23.3 billion, indicating that the government is committing to long-term relationships with CSPs, offering high-value solutions for their IT needs.  

Even in the face of a looming recession, federal spending on technology has remained steady, and cloud remains a top priority that is firmly locked in the upper percentile of all federal contract spending.  

Using FedRAMP to Capitalize on the Federal Cloud Boom   

It has become abundantly clear agencies are steering their considerable purchasing power toward the adoption of cloud technologies. To streamline and standardize the security and procurement elements of the Cloud Smart strategy, the government is using FedRAMP.  

In order to do business with government agencies, CSPs must demonstrate their ability to meet federal security requirements through FedRAMP assessment, authorization, and continuous monitoring. The program resulted in a robust marketplace of vetted CSPs for agencies to choose from when evaluating their technology needs and advancing their cloud maturity.  

It’s also worth noting that the FedRAMP program continues to put a great deal of effort into making the authorization process more accessible to CSPs of all shapes and sizes. In 2018, six years into the program, there were 100 authorized products. In just a few years, that number has more than doubled to 260+ authorized products and counting.   

Best of all, agencies have a great deal of trust in the security of FedRAMP-authorized cloud solutions and are leaning heavily on vendors from the FedRAMP marketplace. According to FedScoop’s recent Federal Perceptions of Cloud Security report, federal IT leaders believe FedRAMP is the number one way to maintain security control over their agency’s strategic data, above on-prem data centers and hybrid/commercial cloud environments.  

Three Reasons CSPs Should Invest in FedRAMP Now  

Are you a CSP considering doing business with the government? Here are four reasons you should get started on FedRAMP compliance ASAP.  

The Ability to Sell to the Federal Government  

FedRAMP is mandatory for all cloud services used by government agencies. Achieving authorization will allow you to tap into the booming federal cloud market. 

Meet Multiple Government Agencies Requirements 

A FedRAMP security authorization can be reused across multiple agencies: FY 2021 saw a 45% increase in the amount of FedRAMP-authorized security packages reused by agencies, indicating that the “certify once, use many” vision of the program has become a reality.   

Differentiate with a Valuable Marketing and Sales Tool  

FedRAMP is recognized as the pinnacle of cloud security certifications, which means it can be a valuable cybersecurity proof point when you are selling to the private sector, too. A news search of “FedRAMP authorization” yields countless press releases illustrating the pride CSPs take in this compliance achievement.  

Achieve FedRAMP Authorization from a Top Assessor  

For CSPs, there is no better time to earn FedRAMP authorization than right now. The federal cloud market is soaring with no signs of slowing down, as many agencies are still in the early stages of their cloud maturity journey.  

As one of the top five FedRAMP assessors in the world, A-LIGN can help with any of your needs including advisory services or an official assessment paired with continuous monitoring.  

Have a follow up question or would like to learn more about undergoing a FedRAMP assessment with A-LIGN? Reach out to one of our experienced FedRAMP specialists.  

A-LIGN’s Compliance Crosswalk podcast features discussions at the intersection of security, privacy, compliance, and risk management. On our fourth episode, hosts Blaise Wabo, Healthcare and Financial Services Knowledge Leader, Arti Lalwani, Risk Management and Privacy Knowledge Leader, and Patrick Sullivan, Vice President of Customer Success, share their thoughts and insights on A-LIGN’s 2022 Compliance Benchmark Report.   

What is the 2022 Compliance Benchmark Report? 

Our 2022 Compliance Benchmark Report offers insights into how your organization’s cybersecurity and compliance efforts stack up against other organizations across various industries.  

We surveyed more than 700 cybersecurity, IT, quality assurance, internal audit,  

finance, and other professionals about their compliance programs with the goal of gaining a better understanding of their organization’s position when it comes to compliance, including strengths, weaknesses, and opportunities. 

What’s Changed in the 2022 Report? 

There are common themes between the 2021 and 2022 Benchmark reports, including the fact that cybersecurity and compliance remain a top priority for organization’s across industries. Compliance is still a driver for winning new business and maintaining relationships with existing customers. Therefore, obtaining (and maintaining) certain certifications is still a major motivator for growing organizations.   

However, there are noticeable differences between the reports as well. In 2021, 25% of those surveyed were using some sort of compliance software to either drive or to complete compliance assessments. But in 2022, we see close to 75% of organizations utilizing compliance software and platforms. 

Patrick Sullivan speculates that this big jump can be attributed to organizations recognizing how important cybersecurity is and how urgently they need to act on minimizing threat levels. Even with the Great Resignation forcing personnel shifts, many organizations still devoted more of their resources to developing stronger business continuity plans to prepare for disasters or security incidents.  

The Rise of Audit Fatigue 

With so many third-party assessments offered and frameworks and regulations to follow, the experts at A-LIGN caution compliance experts to avoid “audit fatigue.”  

Too many organizations view audits as a catch-all, building strategies around the audits they complete instead of the other way around. Before registering for assessments, organizations should take a step back and look at their compliance and security frameworks as a whole. Build a compliance strategy first, then pursue audits that meet the needs of that strategy. 

“It’s possible to solve all of your problems but not have the solution you want,” Patrick explains, which is why organizations should determine what frameworks they actually need to follow before proactively pursuing them.  

Cybersecurity Concerns in 2023  

It’s not too early to start making predictions about which trends will become more prominent in the next year.  

The 2022 Benchmark Report found the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to be one of the top three compliance services organizations are looking to lean more into in the following year.  

HIPAA’s rise in popularity is a sign of the times. Following the height of the COVID-19 pandemic in 2020, the telehealth market saw a rapid rise in popularity. Organizations expanded services and brought on many third-party vendors, which unfortunately surfaced vulnerabilities and led to an increase in healthcare-related cyberthreats. 

Blaise notes the value of healthcare data as a major driver for targeted attacks. He speculates that most of the hackers nowadays are not just looking for the money but are also looking for data that has real value—and there’s no better way to do that than infiltrating healthcare systems. In fact, the value of one health record on the black market is anywhere from $650 to $2,000 per record. 

Beyond the healthcare industry, ransomware attacks are poised to become a more commonplace issue into 2023 and beyond. We’re predicting a rise in Ransomware as a Service — a practice where bad actors package ransomware into a kit. They can then sell this kit to a less sophisticated bad actor, granting that entity access to all of the tools needed to attack an organization’s network.  

How Organizations can Start Preparing Now   

While it’s hard to predict what exactly the future holds, perhaps the most important thing organizations can do is find a trusted partner to help address their cybersecurity concerns.  

“Finding a trusted partner is definitely key,” says Blaise. Both compliance and cybersecurity require certain protocols for certain types of information, and for some, this can be a sensitive topic to broach. People should feel comfortable discussing their organization’s weak points with their security provider, and establishing a strong relationship before a cyberattack occurs. 

Join Blaise Wabo and Arti Lalwani for episode five of the Compliance Crosswalk podcast, available in July.

As security tools get more innovative, so do the threat actors aiming to compromise your systems.  

Many of these bad actors have taken to recycling existing malware variants, even if it’s only making minor tweaks to make the attacks slightly different. Cybercriminals aren’t always reinventing the wheel — but it only takes the smallest of changes for a once-preventable variant to suddenly slide past your systems undetected.  

It’s important for organizations to take a proactive approach to their cybersecurity. Preventative measures like penetration tests can determine how IT systems would hold up in a real-world attack scenario, which is quite valuable given the current global threat environment. 

What Is a Penetration Test?  

Penetration tests (pen tests) are simulated cyberattacks designed to assess the cybersecurity of your organizational technologies and systems. Composed of multiple steps, this process:  

• Tests your organization’s information security of both technologies and systems   
• Identifies vulnerabilities in your cybersecurity posture before threat actors do  
• Helps your organization remediate security and compliance gaps  

Pen tests are performed by ethical hackers, meaning the tests involve carrying out attacks on real systems and data using the same tools and techniques an actual attacker would. However, the information collected is not sold to malicious third-party groups, and the organization is not placed in actual danger.  

Why a Pen Test Is Needed 

As data breaches continue to dramatically increase in both depth and complexity, organizations have bolstered their lines of technological defense. But with the numerous variants of malware comes the possibility of a security incident.   

A penetration test is the best way to see if a threat actor can take advantage of any exploitable vulnerabilities. These new malware variants attempt to evade detection from common vulnerability scans. While the variants fail the majority of the time, this might not always be the case.  

With 560,000 new pieces of malware  being detected every day and four companies falling victim to ransomware attacks every minute, it is easy to see how a variant can slip through the cracks. Pen testing is a good way to ensure your incident response team can minimize the amount of damage done.  

A penetration test is a good way to test an organization’s incident response team, as they can determine where lapses in protection hide without putting any sensitive information in harm’s way.  

When It Comes to Pen Testing, Focus on the Big Picture  

It is critical to know where all of the weaknesses lie in an organization’s tech stack.  

However, some may only associate these fragile points with already-discovered vulnerabilities. Organizations need to look at the bigger picture when examining their defense systems and determining risk.  

System vulnerabilities can show a lack of process, a lack of knowledge, and a lack of planning within an organization.  

For example, a penetration test can reveal deficiencies related to how a company keeps its servers updated or how they apply patches. It can also show everything from a lack of logging and monitoring to the lapses of protection if an event were to happen.  

This is why it’s so important to start with a solid security framework — such as one from NIST — when deploying a network. This makes it easier to establish strong cybersecurity controls while also helping to manage and reduce cybersecurity risk. 

As for the networks that have already deployed, you can compare its current state to already-existing frameworks to determine where gaps may hide. 

Pen Testing Can Play a Role in Preventing Cyberwarfare  

Even before the Russian/Ukrainian war, Ukrainian organizations have frequently found themselves victims of cyberattacks, from phishing campaigns to malware variants.  

Earlier this year, the country narrowly avoided a serious cyberattack on their nation’s power grid. Hackers used malicious software to target one of Ukraine’s largest energy companies, trying to shut down substations. If successful, this would have caused blackouts for two million people. 

Fortunately, cybersecurity companies were able to identify and neutralize the software before the attack could do any damage, but this isn’t always the case. 

Government-targeted cyberattacks are on the rise in the United States as well. In 2020, 68% of states saw at least one of their municipalities fall victim to attack, many of them instigated by nation state actors. 

Routine pen tests (at minimum once a year) can reassure both governments and private organizations that their current safety protocols are up to date. But, for real-world protection, conducting pen tests more often will help to better protect your organization.  

Become More Proactive About You Cybersecurity Today 

When it comes to keeping your networks secure, it’s not a matter of if a cyberattack will occur, but when.  

There’s no way of predicting when these attacks will take place, but if a security incident should happen, it’s important to have already solidified how your organization will respond. Tools like pen testing can help teams create strategies to avoid a potential disaster.  

For an extra layer of protection, organizations should consider adding a vulnerability scan to their penetration tests as well. Vulnerability scans check an organization’s network and systems for any known vulnerabilities against a database of vulnerability information. Paired alongside pen tests, organizations can more effectively enhance their security posture by taking a truly proactive approach to cybersecurity. 

A-LIGN’s OSEE, OSCE, and OSCP Certified Penetration Testers will use the latest cybersecurity tactics to ensure your organization’s critical data is protected. 

Is your organization prepared to face a cyberattack? Our Ransomware Preparedness Assessment can help you find out.  

For many businesses, the biggest challenge in obtaining a HITRUST CSF certification is having to establish policies and procedures that satisfy the HITRUST criteria, which is a requirement for the r2 Assessment. Note that policies and procedures are still required in an i1 Assessment, but without the rigorousness of the r2 Assessment as described in this blog.

While organizations focus carefully on implementing each HITRUST control requirement, I also suggest they pay close attention to their policies and procedures. Prioritizing strong HITRUST policies and procedures is crucial to passing the audit and earning a HITRUST certification.

It’s also best to create and document policies and procedures for the HITRUST CSF sooner rather than later, as they must be in place for at least 60 days prior to the audit carried out by an external assessor.

Read on to learn more about HITRUST policies and procedures, the minimum requirements for documentation, and what to do if you don’t have sufficient resources to handle such an initiative.

Understanding HITRUST Policies and Procedures

A big reason why companies often treat HITRUST policies and procedures as an afterthought is that they have existing documentation mapped to another standard (such as SOC 2 or ISO 27001) and assume they can carry over to cover HITRUST requirements. This is not the case — in fact, most of the time, an organization will have to completely rewrite their policies and procedures in order to meet HITRUST requirements.

Here are the key points to know about HITRUST policies and procedures.

What are HITRUST policies?

HITRUST policies are the rules an organization and its employees must follow in order to achieve a specific goal. According to the most recent HITRUST Assurance Advisory (2021-014), “A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.”

HITRUST policies should contain statements from management describing how your organization plans to adhere to each HITRUST control requirement. For example, “Acme Corporation will keep up a vulnerability management program that proactively identifies and detects information security vulnerabilities, so that the business may…” (ending with the goal the company aims to achieve through vulnerability management).

What are HITRUST procedures?

HITRUST procedures provide an explanation of the “how” behind HITRUST policy implementation by describing step-by-step instructions for specific routine tasks. As per the latest HITRUST Assurance Advisory, “A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.”

• This means each of your procedures must give a detailed description of:
• How the policy is being implemented
• When each step of the procedure should be performed
• Who is performing specific actions related to the procedure
• Additional details on timing and accountability

HITRUST procedures should answer the “how,” and provide some details on “when,” and “who” where applicable behind each policy. For example, the official Vulnerability Management Procedure for Acme Corporation would provide a comprehensive account of its scope and goals, key responsibilities assigned to specific roles and departments, descriptions of various security assessments involved in the program, a schedule delineating the frequency of audits, and more.

What HITRUST Policies and Procedures Does My Organization Need to Document?

Because the HITRUST CSF is a flexible and scalable security framework that is tailored to the compliance needs of each organization, the exact policies and procedures required will depend on the scope of your assessment.

That being said, at a minimum you must have policies and procedures in place that address the 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a maturity level scale from 1-5) for each control domain in order to earn HITRUST r2 certification. Having strong policies and procedures in place and effectively implemented make up the baseline of HITRUST compliance. The HITRUST CSF control domains are:

• Information Protection Program
• Endpoint Protection
• Portable Media Security
• Mobile Device Security
• Wireless Security
• Configuration Management
• Vulnerability Management
• Network Protection
• Transmission Protection
• Password Management
• Access Control
• Audit Logging and Monitoring
• Education, Training, and Awareness
• Third-Party Assurance
• Incident Management
• Business Continuity and Disaster Recovery
• Risk Management
• Physical and Environmental Security
• Data Protection and Privacy

Again, to address the 19 HITRUST control domains, the information included in your documentation depends on the compliance needs of your business and the scope of your assessment. Scoping factors that determine your organization’s number of control requirements and therefore inform your policies and procedures include:

• Company industry
• Company size
• Company location
• Types of data handled
• Data access and usage (including third parties)
• How systems process, store, and transmit data

For example, a company with a HITRUST CSF assessment that covers 250 control requirements will have a different password management policy than a company with 450 control requirements. The latter organization may have a control that states employees must change their password every 90 days while the former organization may not have any such control.

Solving for a Resource Deficit When Designing HITRUST Policies and Procedures

After comprehending the structural nuances of the HITRUST CSF, it is very common for organizations to realize they simply don’t have the resources and/or budget required to create and document the necessary HITRUST policies and procedures from scratch.

If you are worried your organization does not have the proper resources in place — a trusted HITRUST advisor can help. Following a Readiness Assessment designed to pinpoint gaps in your organization’s environment, A-LIGN can provide comprehensive HITRUST Risk and Advisory Services that include any combination of:

• Creation of policies and procedures
• Documentation of policies and procedures
• Gap remediation for policies and procedures
• Implementation of nontechnical controls
• Gap remediation for nontechnical controls (e.g., develop an incident response plan or BCDR plan, help conduct HIPAA training, etc.)

Our practiced guidance will accelerate your path toward HITRUST certification, saving both time and resources. Read the story of our partnership with Sandata Technologies that inspired the company’s Security Director, Michael Alcide, to say, “[A-LIGN’s] guidance throughout the entire [HITRUST] process was invaluable. They helped us understand the small nuances and specific requirements that are always changing.”

Take the Stress Out of HITRUST

It’s no secret that achieving HITRUST certification can be complex and, at times, confusing. Leverage industry experts who are deeply familiar with HITRUST (500+ assessments with a 100% successful certification rate) and your organization will be more efficient with assessment preparation, including documentation of the necessary policies and procedures.

Looking to expedite your path to HITRUST certification?

Download our HITRUST checklist now!