Session Presentation

Future of FedRAMP Assessments: Automating 3PAO Testing & Validation

Adam Smith

Adam Smith

Account Director, Coalfire

Jorden Foster Headshot

Jorden Foster

Senior Director, Operations Management

June 25, 2025
Future of Fed RAMP Assessmets

Session Overview

  • FedRAMP 20x
  • KSIS
  • System Design
  • Auditing Techniques

Download Full Presentation (PDF)

 

More than just a green check mark

  • Automated Assessments are a key priority for FedRAMP in the 20x program!
  • Manual control testing techniques are being phased out.
  • Automated collection and validation of KSIs are the future.

FedRAMP Key Security Indicator Evolution

Key Security Indicators

  • Cloud Native Architecture (KSI-CNA)
  • Service Configuration (KSI-SC)
  • Identity and Access Management (KSI IAM)
  • Monitoring, Logging, and Auditing (KSI-MLA)
  • Change Management (KSI-CM)
  • Policy and Inventory (KSI-PI)
  • Third Party Information Resources (KSI-3IR)
  • Cybersecurity Education (KSI-CE)
  • Incident Response (KSI-IR)

NIST Control References

  • SC-5, SC-7, SC-12, SC-39, SR-12
  • CM-2, CM-4, CM-8, IA-7, RA-7, SC-8, SC-8 (1), SC-13, SC-28, SC-28 (1), SI-3, SI-4
  • AC-2, AC-3, AU-9, AC-14, IA-2, IA-2 (1), IA-2 (2), IA-2 (8), IA-2 (12), IA-4, IA-5, IA-5 (1), IA-6, IA-8, IA-8 (1),IA-8 (2), IA-8 (4), IA-11, PS-2, PS-3, PS-4, PS-5, PS-7, PS-9
  • AC-7, AU-2, AU-3, AU-4, AU-8, AU-11, AU-12, RA-5, SI-2
  • CM-6, CM-7, CM-10, CM-11
  • AC-1, AU-1, CA-1, CM-1, CM-8, CP-1, IA-1, IR-1, PL-1, PL-2, PS-1, RA-1, SA-1, SA-2, SA-3, SA-5, SA-8, SC-1, SI-1, SR-1
  • AC-2, AC-20, AC-23, CA-3, CA-9, RA-3 (1), SA-4, SA-9, SA-22, SI-5, SR-2, SR-2 (1), SR-3, SR-5, SR-8, SR-10, SR-11, SR-11 (2)
  • AT-2, AT-3, AT-6
  • CP-2, CP-4, CP-9, CP-10, IR-4, IR-5, IR-6, IR-7, IR-8, PS-8, RA-3, RA-5 (2), RA-5 (11)

Applying KSI automation to complex systems

  • Customer Responsibility
    • User Interface
    • Application Code
  • Shared Responsibility
    • Serverless Computing
    • Managed Databases
    • Container Orchestration Tools
    • Compute Instances
  • Hosting Service Responsibility
    • Infrastructure as a Service

What are the key foundations for testing evidence?

  • Complete
  • Accurate
  • Timely

With the consideration that Exceptions may be necessary!

Completeness

  1. Do we have the correct set of requirements to validate against?
  2. What technologies need to be evaluated?
  3. What population should be used to verify the requirements?

Identify Assets

Integrations

  • 11 Connected integrations
  • AWS
  • Checkr
  • Cloudflare
  • Crowdstrike
  • Deel
  • Github
  • Google Workspace
  • Kandji
  • Rippling
  • Vercel

Verify Coverage

Asset inventory

  • Computers
  • Cloud resources
  • Repositories
  • Tickets

Accuracy

  1. What configurations were tested?
  2. How do we verify that the test is reporting as expected?

Timeliness

  1. When was the data pulled?
  2. How often should the data be verified again?

Exceptions

  1. How do we address automation gaps?
  2. How do we report those in a machine-readable format?

Manual Testing Exceptions

Connected Documentation

PCI Community Meeting 2025

Join us at the PCI Community Meeting September 16-18, where Coalfire will be showcasing our latest advancements in cybersecurity and compliance. 

Learn more