Achieve FedRAMP ATO to access new markets

The Coalfire assessment team conducts an in-depth review of the authorization boundary to ensure accurate representation of all external services, interconnections, and data flows. 

This process includes the validation of federal mandates and requirements, along with the definition of capability information within the Readiness Assessment Report (RAR) template. The RAR includes a detailed executive summary that highlights notable strengths and weaknesses, control implementations, and the overall maturity of the information system.

The Coalfire assessment team creates a Security Assessment Plan (SAP) that outlines how the assessment will be conducted and the timeline for key milestones. 

The initial assessment process covers all baseline security controls for the system’s security impact level. The assessment includes technical interviews to validate control implementations and identifying any risks discovered through manual control testing, vulnerability scanning, and penetration testing. 

The team produces a comprehensive Security Assessment Report (SAR) that details any identified risks, the impact of the risks on the information system, and the necessary remediation activities to reduce or mitigate the risks. 

The Coalfire team performs all testing in accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. 

Coalfire documents the results in a SAR. Once the SAR is completed, Coalfire submits it to the agency sponsor and the FedRAMP Program Management Office (PMO) for their review and to obtain an ATO. Throughout the sponsor and PMO package review process, the reviewer requests additional information to clarify testing activities, remediation steps, and insights on any gaps noted.

Assistance is provided for preparation of the annual assessment prior to the ATO deadline. 

The annual assessment process includes the assessment of approximately one-third of the required security controls, plus any additional controls required by the agency sponsor or FedRAMP PMO. The assessment includes manual control testing, vulnerability scanning, and penetration testing.

To maintain a FedRAMP ATO, CSPs should monitor security control environment, assess it on a regular basis, and demonstrate that service offering’s security posture is continuously acceptable. 

Ongoing assessment to maintain authorization provides federal agencies using cloud services with a method for detecting changes to the system’s security posture and making risk-based decisions. 

Coalfire can help you with the following assessments as individual assessments or in tandem with FedRAMP assessments: 

Department of Defense Risk Management Framework (DoD RMF): Our DoD RMF certification and accreditation service assesses your information systems to DoD RMF standards.

NIST SP 800-53 assessment: Assess, test, and review your information systems with our in-depth testing and assessment capabilities.

International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR): Our ITAR and EAR assessment services help you navigate the cybersecurity aspect of the export control compliance process.

NIST SP 800-171 assessment: We provide assessment services designed to help you navigate the compliance process for the FAR (Federal Acquisition Regulation) and DFARS (Defense Federal Acquisition Regulation Supplement) cybersecurity contract obligations. We also assess security controls and contract obligation compliance and ensure continuous compliance monitoring for providers that store, process and transmit Controlled Unclassified Information (CUI).

Drug Enforcement Administration (DEA)’s Electronic Prescriptions for Controlled Substances(EPCS): Every two years, providers and pharmacies must undergo a third-party audit of their electronic prescription or pharmacy management applications to achieve DEA EPCS certification. Rely on our auditing program for your EPCS assessment and certification.

Coalfire leads the industry in cybersecurity by excelling in both FedRAMP penetration testing of all six attack vectors (external to corporate, external to CSP target system, tenant to CSP management system, tenant to tenant, mobile application to target system, and client-side application and/or agents to target system) and in the advanced red team assessments now required by FedRAMP Revision 5. 

We are renowned for our expert ability to rigorously evaluate and strengthen systems against a wide range of potential vulnerabilities, meeting FedRAMP’s stringent standards. 

Coalfire’s comprehensive approach to red teaming involves simulating sophisticated adversarial attacks to uncover and address hidden weaknesses, ensuring that our clients' defenses are robust and resilient. By combining meticulous penetration testing with dynamic red team operations, we not only help our clients achieve and maintain federal compliance but also significantly enhance their overall cybersecurity posture, reinforcing our position as a leader in the field.