It was once said that “the wise adapt themselves to circumstances, as water molds itself to the pitcher.” In these first few months of 2020, we have all seen and been intimately part of a fundamental shift across the globe that has forced everyone to do just that— adjust. Nearly every industry has been forced to scale processes and suddenly adapt business models to maintain their foothold in an ever-changing landscape thrown off by COVID-19, and FedRAMP is no different. But at Schellman, our FedRAMP 3PAO assessment process—designed from its inception to be highly adaptable— was ready for such a moment.
As most have now been forced to move to a remote model in the workplace—at least in the near-term—the idea of conducting business as usual has also been forced to accommodate. At Schellman, however, we’ve always operated under a mostly remote model, and because of that, we’ve been able to remain consistent for our clients as they too have made the pioneering shift to something similar during these unconventional times. And while we certainly can’t replicate the value or efficiency of in-person or onsite assessments, we do still see an upside to how our business has adjusted—we’re connecting more.
"we at Schellman believe these different, more personal touches are doing great things to spark collaboration within our client teams that will strengthen our relationships in the long run"
Through the use of web-based video conferencing tools like Zoom that are now essential to business workings everywhere, we are all getting to see a much more personal side of each other— clients and colleagues alike. No longer are we meeting in large conference rooms where the greatest insight we have into each other’s lives is a favorite sports team emblazoned on a coffee mug or brightly colored stickers adorning laptop lids. Instead, we are all working from our homes, and this is giving us a new, much more personal look into each other’s lives. Green screens and virtual backgrounds aside, we now have a view into personally decorated walls, dogs that are barking in the background, and children laughing. As we all continue to navigate this remote world that is new for some, we are also “coming to work” dressed in a more relaxed manner—and we at Schellman believe these different, more personal touches are doing great things to spark collaboration within our client teams that will strengthen our relationships in the long run.
Because our FedRAMP 3PAO personnel were already working fairly remotely, most of that methodology hasn’t changed, including the development of the key deliverables required as part of the FedRAMP process. The Security Assessment Plan (SAP) and Security Assessment Report (SAR) procedures also haven’t changed, as these are largely a remote effort anyway due to the amount of time that goes into translating the details from our control walkthroughs into the necessary templates. Furthermore, penetration tests and vulnerability scan analysis continue to be highly coordinated, mostly remote efforts with our clients given the nature of testing required and the fact that these assessments are not always performed during regular business hours. While these are only a few examples, this is how we originally designed our process, and Schellman has been performing these activities in this way for some time now.
For us, what has changed is the way we conduct our remote procedures as noted in the graphic above. For now, these elements of our process which were formerly performed onsite have shifted to virtual models. As we eventually navigate through this unprecedented world situation, it is suspected that FedRAMP governing bodies will then lift the temporary relaxation of the onsite component of this process, and these assessments will return at least somewhat to normal. Still, there are two key elements of the FedRAMP lifecycle that have changed for now:
- Onsite In-Person Control Walkthroughs
An important aspect, as it is critical to the ultimate decision of whether to recommend FedRAMP authorization, our process for conducting onsite in-person control walkthroughs with our clients to review their controls and document our understanding has shifted to a fully virtual model. As noted above, while somewhat less efficient than sitting in a room together, technology allows us to review network diagrams, data flows, and virtually observe control data much as we would “shoulder surfing” an administrator while demonstrating multi-factor authentication or an engineer while confirming use of FIPS validated modules for encryption. Sure, it takes care and planning and sensitivity to determine what can or must be retained for audit working papers, but it does work. Even more helpful are the now video-based observations of data centers and secure rooms that we have conducted, as we now have more of an understanding regarding the challenges and nuances of performing those.
- PMO/JAB/Agency Review Meetings
The other most significant change is the move to remote meetings for interactions with the FedRAMP Program Management Office (PMO), Joint Authorization Board (JAB) and/or Sponsoring Agencies. These meetings are traditionally performed onsite at the General Services Administration (GSA) or another building; however, all related meetings are now remote.
Despite these changes, please rest assured that there has been minimal impact to Schellman’s FedRAMP audit process. While we may now be testing the limits of Zoom and related technology to stay connected multiple times throughout the day, we’ve had the tools and technology in place to support this temporary shift for a long time. And as nice as it has been to not have to be dealing with the beltway traffic as part of a regular commute, we do look forward to the next day of water cooler talk at a client site after society as a whole has emerged from this pandemic together.
About the Author
Stephen Halbrook is a Managing Principal at Schellman. He is an experienced and proven federal practice leader performing service delivery management across service lines including FedRAMP, NIST, SOC, PCI DSS and ISO. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 15 years of experience in the assessment industry and started his career working in Deloitte’s Advisory practice.
More Content by Stephen Halbrook