<Information System Name>, <Date>

System Security Plan

<Information System Name>, <Date>

DoD FedRAMP+ Readiness Assessment Report (RAR)

<CSP Name or Logo>

<System Name>

Version 1.0

<Date>

Company Sensitive and Proprietary

For Authorized Use Only

Information System Name> DoD FedRAMP+ Readiness Assessment Report <Date>

Third Party Assessment Organization (3PAO) Attestation

An Accredited 3PAO must attest to the readiness of the Cloud Service Provider’s (CSP) system. To be considered DoD CC SRG Ready, the CSP must meet all of the requirements in Section 5.1, Federal and DoD Mandates, as well as Section 5.2, DoD CC SRG Requirements. The 3PAO must use its expert judgment to subjectively and independently evaluate the CSP’s overall readiness and factor this evaluation into its attestation.

[3PAO name] attests that fully qualified assessors with expert knowledge in the FedRAMP and DoD Cloud Computing Security Requirements Guide requirements have fully and independently assessed [CSP name and system name]’s readiness to meet the DoD Cloud Computing Security Requirements guide Information Impact Level [4 or 5] requirements as described in this FedRAMP+ Readiness Assessment Report. [3PAO name] recommends that the DISA Cloud Support Services Office (CSSO)
[grant [CSP system name] “DoD FedRAMP+-Ready” status; or grant [CSP system name] “DoD FedRAMP+-Ready” status upon completion on the actions outlined in this report]
This attestation is based on [3PAO name]’s 3PAO Accreditation by the American Association of Laboratory Accreditation (A2LA), FedRAMP, DoD and the experience and knowledge of the assessors regarding the DoD CC SRG requirements, and knowledge of industry cybersecurity best practices.
This DoD FedRAMP+ Readiness Assessment Report was created in alignment with the DoD CC SRG requirements and guidance. While this report only contains summary information regarding a CSP’s ability to meet the DoD CC SRG requirements, it is based on [3PAO name]’s evaluation of [CSP name and system name] which included observations, evidence reviews, personnel interviews, and demonstrated capabilities of security implementations.
Lead Assessor’s Signature: X______Date: ______
Lead Assessor’s Name
3PAO Name

Executive Summary

In the space below, provide a one-paragraph description of the 3PAO’s view of the system that includes all the information provided in Table 3-1, System Information.

In the space below, provide up to four paragraphs that summarize the information provided in Sections 5.1, 5.2, and 5.3, based on the 3PAO’s cybersecurity expertise and knowledge of FedRAMP and the DoD Cloud Computing Security Requirements Guide (DoD CC SRG) including notable strengths, weaknesses, and other areas for consideration. The 3PAO should demonstrate expertise and knowledge and not simply copy CSP materials.

The 3PAOs should consider the following when evaluating a CSP’s overall readiness:

·  Overall alignment with the National Institute of Science and Technology (NIST) definition of cloud computing according to NIST SP 800-145.

·  Overall understanding and alignment with the DoD needs and methods for completing missions as reflected in the DoD CC SRG

·  Notable strengths and weaknesses.

·  Ability to consistently maintain a clearly defined system boundary.

·  Clearly defined customer responsibilities.

·  Unique or alternative implementations.

·  CSP capability and culture for maintaining security in the CSO.

·  Overall maturity level relative to the system type, size, and complexity.

Table of Contents

Third Party Assessment Organization (3PAO) Attestation i

Executive Summary ii

1. Introduction 1

1.1. Purpose 1

1.2. Outcomes 1

1.3. DoD FedRAMP+ Approach and Use of This Document 1

2. General Guidance and Instructions 2

2.1. Embedded Document Guidance 2

2.2. Additional Instructions to 3PAOs 2

3. DoD Sponsorship and Advocacy 3

4. CSP System Information 3

4.1. Relationship to Other CSO(s) 4

4.2. Authorization Boundary and Data Flow Diagrams 4

4.2.1. Authorization Boundary 4

4.2.1.1. Boundary Exclusions 4

4.2.2. Data Flow Diagrams 5

4.2.3. Separation Measures 5

4.3. System Interconnections 5

5. Capability Readiness 6

5.1. Federal and DoD Mandates 6

5.2. DoD FedRAMP+ Requirements 6

5.2.1. Approved Cryptographic Modules [SC-13] 7

5.2.2. Transport Layer Security [NIST SP 800-52, Revision 1] 7

5.2.3. Identification and Authentication, Authorization, and Access Control 8

5.2.4. Audit, Alerting, Malware, and Incident Response 9

5.2.5. Contingency Planning and Disaster Recovery 11

5.2.6. Configuration and Risk Management 12

5.2.7. Data Center Security 13

5.2.8. Policies, Procedures, and Training 13

5.3. Additional Capability Information 17

5.3.1. Staffing Levels 17

5.3.2. Change Management Maturity 17

5.3.3. Vendor Dependencies and Teaming Agreements 17

5.3.4. Continuous Monitoring (ConMon) Capabilities 18

5.3.5. Status of System Security Plan (SSP) 19

List of Tables

Table 3-1. DoD Sponsorship 3

Table 4-1. System Information 3

Table 4-2. Relationship to Other CSP 4

Table 4-3. System Interconnections 5

Table 4-4. Interconnection Security Agreements (ISAs) 6

Table 5-1. Federal and DoD Mandates 6

Table 5-2. Cryptographic Modules 7

Table 5-3. Transport Layer Security 7

Table 5-4. Identification and Authentication, Authorization, and Access Control 8

Table 5-5. Audit, Alerting, Malware, and Incident Response 9

Table 5-6. Contingency Planning and Disaster Recovery 11

Table 5-7. Configuration and Risk Management 12

Table 5-8. Data Center Security 13

Table 5-9. Policies and Procedures 14

Table 5-10. Missing Policy and Procedure Elements 15

Table 5-11. Security Awareness Training 15

Table 5-12. Personnel 16

Table 5-13 Staffing Levels 17

Table 5-14. Change Management 17

Table 5-14. Vendor Dependencies and Teaming Agreements 17

Table 5-15. Vendor Dependency Details 18

Table 5-16. Teaming Agreements Details 18

Table 5-17. Continuous Monitoring Capabilities 18

Table 5-18. Continuous Monitoring Capabilities – Additional Details 19

Table 5-19. Maturity of the System Security Plan 19

Table 5-20. Controls Designated “Not Applicable” 19

Table 5-21. Controls with an Alternative Implementation 19

15

Information System Name> DoD FedRAMP+ Readiness Assessment Report <Date>

1.  Introduction

1.1.  Purpose

This report and its underlying assessment are intended to enable the DoD to reach a DoD FedRAMP+-Ready decision for a specific Cloud Service Provider’s (CSP) system based on organizational processes and the security capabilities of the system. The DoD grants a DoD FedRAMP+-Ready designation when the information in this report indicates the CSP is likely to achieve a DISA AO Provisional (PA) without significant conditions or caveats.

1.2.  Outcomes

A Third Party Assessment Organization (3PAO) should only submit this report to if it determines the CSP’s system is likely to achieve a DoD PA. The 3PAO may submit the report with recommended conditions before the DOD FEDRAMP+-Readiness should be granted if those conditions are minor and achievable before moving forward. Submission of this report by the 3PAO does not guarantee a DoD FedRAMP+-Ready designation nor does it guarantee a DoD Provisional Authorization.

1.3.  DoD FedRAMP+ Approach and Use of This Document

The Readiness Assessment Report (RAR) identifies clear and objective security capability requirements where possible, while also allowing for the presentation of more subjective information. The clear and objective requirements enable the 3PAO to concisely identify whether a CSP is achieving the DoD CC SRG requirements in addition to the FedRAMP Moderate baseline requirements. The combination of objective requirements and subjective information enables the DISA Cloud Support Services Office (CSSO) to render a readiness decision based on a more complete understanding of the CSP’s security capabilities.

Section 5, Capability Readiness is organized into three sections:

·  Section 5.1, Federal and DoD Mandates, identifies a set of the mandates a CSP must satisfy.

·  Section 5.2, DoD FedRAMP+ Requirements, identifies an excerpt of the most compelling requirements from the FedRAMP baseline and DoD FEDRAMP+ CC SRG . A CSP is unlikely to achieve a DoD Provisional Authorization if any of these requirements are not met.

·  Section 5.3, Additional Capability Information, identifies additional information that is not tied to specific requirements, yet has typically reflected strongly on a CSP’s ability to achieve a FedRAMP or DoD Provisional Authorization.

2.  General Guidance and Instructions

2.1.  Embedded Document Guidance

This document contains embedded guidance intended to instruct the 3PAO on the completion of each section. This guidance ensures the DISA Cloud Support Services Office (CSSO) receives all the information necessary to render a DoD FedRAMP+-Ready decision.

The guidance text is in grey and should be removed after the report is fully developed, but before it is submitted to the DISA Cloud Support Services Office (CSSO).

2.2.  Additional Instructions to 3PAOs

The 3PAO must adhere to the following instructions when preparing the RAR:

1.  The RAR must provide:

a.  An overview of the system.

b.  A subjective summary of the CSP’s overall readiness, including rationale such as notable strengths and other areas for consideration.

c.  An assessment of the CSP’s ability to meet the Federal and DoD Mandates identified in Section 5.1, the DoD FedRAMP+ Requirements identified in Section 5.2, and Additional Capabilities identified in Section 5.3.

d.  The 3PAO’s attestation to the independence, expertise and thoroughness of the analysis to determine the CSP’s readiness to meet FedRAMP and DoD FedRAMP+ requirements.

e.  The 3PAO’s attestation the CSP’s readiness to meet FedRAMP and DoD FedRAMP+ requirements.

2.  The DISA Cloud Support Services Office (CSSO) will not consider a CSP for a DoD FedRAMP+-Ready designation unless all the requirements in Section 5.1, Federal and DoD Mandates, are met. Please note, meeting these requirements does not guarantee a DoD FedRAMP+-Ready designation.

3.  The 3PAO must assess the system’s technical, management, and operational capabilities using a combination of methods, including interview, observation, demonstration, inspection, and onsite visits (e.g., in-person interviews and data center visits as needed). The 3PAO may use CSP-provided diagrams, but must validate the diagrams as though the 3PAO created the diagrams. The 3PAO must not conduct this readiness assessment exclusively by reviewing a CSP’s written documentation and performing interviews. Active validation of all information provided within this report is required.

4.  The 3PAO must complete all sections and answer all capability questions unless otherwise specified. If a capability is partially or fully inherited, answer “yes” and provide an independent analysis of how the CSP uses those inherited services and any CSP responsibilities implemented. .

5.  Control references are provided with each of the questions in Section 5.2, DoD FedRAMP+ Requirements. These are provided to help the 3PAO understand the basis for each question; however, the 3PAO is expected to consider all relevant FedRAMP and DoD security controls and capabilities when assessing the CSP’s capabilities.

6.  The DoD believes a typical level of effort for conducting a FedRAMP plus DoD FedRAMP+ readiness assessment for mid-size, straightforward, and fully prepared systems to be four to six weeks, with the first half focused on information gathering and the second half focused on analysis and report development.

3.  DoD Sponsorship and Advocacy

Table 3-1. DoD Sponsorship

DoD Organization(s) currently using or committed to use the CSO: / Point of Contact Information:
DoD Organizations(s) sponsoring NIPRNet connection: / Point of Contact Information:
DoD Organizations(s) providing resources to complete validation activities: / Point of Contact Information:

4.  CSP System Information

Table 4-1. System Information

CSP Name:
CSO (System) Name:
Service Model: (IaaS, PaaS, SaaS)
FIPS PUB 199 System Security Level: (Low, Moderate or High)
CNSS 1253 Impact Level : (Confidentiality, Integrity and Availability ratings - Low, Moderate or High each)
DoD CC SRG Information Impact Level: (Level 4 or Level 5)
Deployment Model: Is the service a Public Cloud, Government-Only Cloud, Federal Government-Only Cloud, or DOD Cloud?
Types of DoD information supported: Summarize for the purposes of determining whether Level 4 or Level 5 is appropriate (e.g. CUI, NSS, Privacy data, etc.)
System Functionality: Briefly describe the functionality of the system and service being provided.
Required Customer inclusion: Briefly describe any software, hardware, application or other requirement that a DoD customer would need to include in their boundary in order to use the CSO
Previous FedRAMP or DoD authorizations: Briefly describe, including organization and points of contact, any FedRAMP JAB, Agency ATOs, previous DoD Provisional Authorizations issued for this CSO that can be leveraged in this assessment

4.1.  Relationship to Other CSO(s)

If this system resides within another system or is inheriting any security capabilities from another system, please provide the relevant details below. Please note that this could be any system outside the boundary or control of this CSO so may be another system within the CSP’s organization

Table 4-2. Relationship to Other CSP

Question / Yes / No / N/A / If Yes, please describe.
Is this system leveraging any underlying service offering or services? / (If “yes”, identify the underlying system(s). If “no”, the following questions in this table are “N/A”)
If “yes”, does the leveraged system have a DoD CC SRG provisional authorization? / (If “yes”, identify any PA information such as the name, PA date, CC SRG level of the leveraged systems, etc. )
If the leveraged system does not have a DoD CC SRG PA, does it have a JAB P-ATO or an Agency ATO? / (Identify any Agency ATOs and indicate which are FedRAMP Agency ATOs)

4.2.  Authorization Boundary and Data Flow Diagrams

IMPORTANT: Ensuring authorization boundary accuracy in the RAR is critical to FedRAMP authorization activities. Inaccuracies within the RAR may give authorizing officials and FedRAMP grounds for removing a vendor from assessment and authorization activities.

The 3PAO must perform full authorization boundary validation for the RAR; must ensure nothing is missing from the CSP-identified boundary, and ensure all included items are actually present and are part of the system inventory. This must include the boundary interfaces to the NIPRNet and the associated DoD Cloud Access Point(s). To achieve this, the 3PAO must perform activities including, but not limited to, discovery scans and in person interviews and physical inspections where appropriate.

4.2.1.  Authorization Boundary

Insert 3PAO-validated network and architecture diagram(s, in compliance with the requirement for a security architecture in security control PL-8(1). The 3PAO must ensure each diagram:

·  includes a clearly defined authorization boundary;

·  clearly defines services wholly within the boundary;

·  depicts all major components or groups within the boundary;

·  identifies all interconnected systems, including the DoD Cloud Access Point;