Quantech is an accredited Federal Risk and Authorization Management Process (FedRAMP) Third Party Assessment Organization (3PAO) company. The FedRAMP program provides a standard approach to assessing, authorizing, and monitoring cloud services for the federal government. The 3PAO provides the security expertise required to conduct a thorough and accurate assessment of the Cloud Service Providers (CSPs). Quantech’s accreditation affirms that we have the expertise and experience to provide 3PAO services in the FedRAMP program.
We provide a multitude of FedRAMP and Cloud-related services, including:
- FedRAMP 3PAO Assessment Services
- FedRAMP A&A Package Preparation & Security Testing
- Cloud Security Advisory Gap Analysis Services
- FedRAMP CONOPS Continuous Monitoring
- Cloud Security Authorization Process Training
Cloud Computing has gained momentum over the past few years within the Federal Government; agencies are seeing the drastic cost and efficiency benefits of the cloud and its variety of service offerings. Security concerns have played a major role in the reluctant adoption by many federal agencies; however, the FedRAMP Program addresses the risks and security concerns associated with cloud technology.
On December 8, 2011, the Federal Chief Information Officer issued a memo addressing the importance of security for cloud computing within the federal space. The Federal Risk and Authorization Management Program (FedRAMP) was developed to provide a cost-effective, risk-based approach for the adoption and use of cloud services within the federal space. FedRAMP sets forth guidelines and requirements for agencies and vendors to adequately assess, authorize, and monitor cloud services and products throughout its lifecycle.
FedRAMP Third Party Assessment Organization (3PAO)
FedRAMP utilizes a conformity assessment process to demonstrate cloud computing services offered by Cloud Service Providers (CSP) meet specified security requirements. This assessment will be conducted in accordance with the latest revision of NIST 800-53 security control standards and the additional FedRAMP controls issued by GSA. The assessment also includes ongoing validation of the CSP’s continuous monitoring solution through FedRAMP-mandated penetration tests and vulnerability scans.
FedRAMP A&A Package Preparation & Security Testing
FedRAMP requires all federal agencies and their respective Cloud Providers to submit documentation outlining their cloud computing capability and associated security measure implementations. This Assessment and Authorization (A&A) process includes a Security Plan, which provides a description of the system, including but not limited to, its purpose, location, and technical capabilities. The Security Plan will also contain implementation statements addressing how the system is compliant with the controls listed within NIST 800-53. Provided with the Security Plan, the A&A package will also include, but is not limited to, an organizational Contingency Plan/Disaster Recovery Plan, Configuration Management Plan, Risk Assessment Report, and Security Assessment Report.
FedRAMP also requires all cloud service providers within the federal space conduct security testing on the system to ensure their security features are functioning as documented within the Security Plan. These CSPs and their chosen A&A consultants will be accountable for conducting the necessary technical scans and analysis as well as conducting the manual assessments of NIST 800-53 security controls and the additional FedRAMP Security Controls. Manual control assessments will consist of the examination, interview, and testing of key personnel and components to validate the implementation statements addressed within the Security Plan are accurate and operating as intended. All results of these tests will be documented within the Security Assessment Report, and Risk Assessment Report. All vulnerabilities found during the testing will be tracked as an item within the Plan of Action and Milestone (POA&M).
Cloud Security Advisory Gap Analysis Services
In the world of compliance, there are a lot of little things which are required to provide a complete and accurate package. For example, in order to conduct the testing of the NIST 800-53 controls and the FedRAMP controls, there are various artifacts that will need to be in place in order for the organization to validate compliance with NIST standards. Quantech’s Cyber Security Division has developed a method for conducting a Gap analysis on cloud systems derived from the definitive federal and industry guidelines and methods, as well as from related experience. Our approach consists of thoroughly reviewing any current documentation in place, including policies and procedures and aligning them according to the latest FedRAMP and NIST standards.
FedRAMP CONOPS Continuous Monitoring
Quantech has established a Continuous Monitoring Program that accounts for all the repeatable processes and reporting per the FedRAMP CONOPS requirements. Standard Operating Procedures are simplified by identifying the NIST SP 800-53A validation points as well as the GSA reporting frequencies.
Cloud Security Authorization Process Training
Technology is constantly changing. Along with advances in technologies, come new threats, followed by guidelines on how to protect against these risks. Therefore, FedRAMP has been implemented to promote a hardened secure cloud computing system.
Quantech has been proactive in keeping abreast of all the latest technology and associated guidelines that have appeared. Quantech incorporates a training curriculum that includes the latest guidance provided by NIST and FedRAMP, as well as industry best practices. This training curriculum covers all aspects of cloud security for both private and government sectors.
The Quantech Difference:
- Trust: As a small business, we infuse our staff with an acute clarity on our core business philosophy — trust. As a security consulting organization, we stay very conscious of the ethical road and combine that with extraordinary talent and an obsession for customer satisfaction that we feel significantly outweighs our competition.
- Industry: Quantech has been a constant presence within the federal sector for over 15 years working on various projects. These projects include Security Architecture (for cloud and traditional networks), Forensics, Governance and Compliance, Security Operations Center (SOC) Management, and Virtualization Security. This combined experience within the various realms of security makes Quantech a very versatile company that can assist in not only select portions of your security program, but your program as a whole.
- Expertise: Quantech employees have a wide range and strong depth of skill sets. We provide multiple years of combined experience in various aspects of security. Quantech focuses on providing its customers with not just security, but business solutions.
- Credentials: Quantech maintains an A2LA-accredited ISO 17025 IT test lab; in addition, our FedRAMP team is ISO 17020 Accredited by A2LA. Our personnel have extensive experience and various certifications; our personnel maintain certifications such as CISSP, CCSK, VMWare VCP, Certified Ethical Hacker (C|EH), and many others.
- Experienced FedRAMP 3PAO: Quantech is highly involved in vetting and researching cloud security and compliance in the federal government and commercial agencies. We have extensive and unique experience within the Federal Government.
- Extensive Experience in Cloud Security Architecture: Quantech has extensive expertise in Cloud architecture and Security Operations in the Cloud.
- Remote Services: With the utilization of VMWare, it’s possible to conduct many control validations remotely. This will minimize interruption to services and operations and provide a flexible baseline for future vulnerability assessments.