FedRAMP Assessment & Advisory Services

Cloud Service Providers (CSPs) interested in serving federal organizations must meet rigorous government-mandated security requirements as part of the Federal Risk and Authorization Management Program (FedRAMP).

To ensure CSPs meet these standards, they must be audited by a Third Party Assessment Organization (3PAO) before they can receive a provisional Authorization to Operate (ATO) and start providing cloud services to federal customers. Over 300 security controls, thousands of pages of documentation, and a rigorous assessment make up the challenging path to a cloud service authorization.

Selecting an experienced and proven 3PAO is critical to gaining an ATO in an efficient and timely manner. That is why so many CSPs turn to Kratos to assist in preparing for FedRAMP or to conduct a formal 3PAO audit. Kratos is an accredited FedRAMP 3PAO certified by the U.S. General Services Administration (GSA) to perform security assessments of CSPs. We have performed extensive information security work with industry-leading CSPs. View our FedRAMP assessor page for more information.

Kratos provides FedRAMP advisory and assessment services for public, private, community, and hybrid cloud service offerings, including: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). We work with CSPs to ensure their readiness to proceed with the 3PAO assessment process, as well as to conduct the actual assessments to secure the cloud with confidence.

Advisory Support

Kratos provides comprehensive gap analysis, FedRAMP authorization package development, and assessment services to federal government and commercial organizations.

FedRAMP Business Analysis – Kratos will assist the CSP determine if it is logical and feasible to pursue and achieve FedRAMP authorization. The key to a successful FedRAMP program is to ensure that authorization aligns with the CSP's business goals and drivers. Kratos will work with the CSP to determine the optimal approach to achieving FedRAMP authorization in the context of both short- and long-term business goals.

FedRAMP Architecture and Boundary Review – Kratos will review the existing system architecture for alignment with FedRAMP requirements. The FedRAMP system boundary provides the context and scope for the entire FedRAMP process, and Kratos will identify potential issues (and solutions) with the architecture, leveraged third party services or corporate resources, as well as assist in the development of an Authorization Boundary diagram that will satisfy FedRAMP requirements.

FedRAMP Gap Analysis – Kratos will provide a gap analysis that identifies potential areas of non-compliance, including identifying potential deficiencies or lack of controls that could result in a failure to comply with FedRAMP requirements. This analysis will provide a detailed breakdown on any identified gaps, the type of remediation necessary (e.g., engineering, procedural, etc.), as well as recommendations to address these gaps.

FedRAMP Implementation Support – Kratos can provide both strategic and tactical consulting to support the CSP's journey to FedRAMP authorization. This includes both advice in navigating the FedRAMP process, but also by providing specific recommendations to how to address architectural or procedural control requirements.

FedRAMP Authorization Package Development – FedRAMP has a daunting set of documentation requirements, and Kratos can develop and assist with the creation of the CSP's authorization package, including the System Security Plan (SSP), which describes the implementation of all FedRAMP control requirements, as well as required policies, procedures, and SSP addenda.

Assessment & Authorization (A&A)

Kratos is one of the most experienced and highly sought after accredited FedRAMP 3PAOs, with a proven track record of success and partnership with CSPs. Kratos FedRAMP assessment services include Readiness Assessments, Initial (full control set) and Annual (control subset) Security Assessments, and Significant Change (control subset) Assessments. While Kratos is an independent assessor, the goal of an engagement is not to be adversarial, but rather help a CSP achieve their authorization, and ultimately their business goals.

FedRAMP Assessment – Kratos provides high quality, efficient, FedRAMP assessments and manages the process from kickoff through authorization (i.e., agency ATO, FedRAMP PMO review, and Continuous Monitoring). Kratos works with the CSP to minimize disruption to their normal business operations and helps ensure the overall assessment strategy aligns with the CSP business goals.

FedRAMP Continuous Monitoring

The Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) has recently issued Binding Operational Directive 22-0. FedRAMP PMO published guidance to reinforce the Directive’s requirements. Kratos Continuous Monitoring Service (ConMon) can help you stay on top of the new requirements.

Kratos also provides continuous monitoring services to help CSPs maintain their FedRAMP ATO. On-going continuous monitoring services can be provided on a quarterly, annual, or every three- or five-year basis to satisfy FedRAMP requirements.

Continuous monitoring also includes mandatory services to be performed by a 3PAO. For example, assessing a subset of controls, performing penetration testing, and scanning operating systems/infrastructure, web applications, and databases on an annual basis.

FedRAMP Authorization Act
FedRAMP Authorization Act

Kratos Commends Congress and Administration for Passage of the FedRAMP Authorization Act as included in the National Defense Authorization Act (NDAA)

Download Document

FedRAMP Rev 4 to 5
DS-410 FedRAMP Rev 4 to 5 What You Need to Know

What you need to know about the transition from FedRAMP Rev 4 to Rev 5, including timeline and applicability information.

Download Document

Work with a Leader and Make a Difference

Opportunities

Contact Us

14130 Sullyfield Cir
Chantilly, VA 20151
Phone: (719) 598-2801
Map and Directions