Listing Thumbnail

    FedRAMP Assessment Service Offerings

     Info
    Booz Allen Hamilton, a leading strategy and technology consulting firm, is the first accredited 3PAO that is ISO/IEC 17020 compliant. We leverage our vast cybersecurity knowledge base and experience to streamline the security risk assessment process. We offer a comprehensive suite of 3PAO services to assist CSPs in successfully navigating through the FedRAMP certification process, which include: Assessment Services (3PAO Assessments, Readiness assessments, DoD IL4, IL5 and IL6 assessments) and Consulting Services (Security Package Preparation, Gap Assessment/Remediation services and Continuous Monitoring services)
    Listing Thumbnail

    FedRAMP Assessment Service Offerings

     Info

    Overview

    3PAO Security Risk Assessment

    For CSPs seeking a 3PAO for FedRAMP authorization, we conduct an independent security assessment using FedRAMP-provided templates (e.g., Security Assessment Plan (SAP), Security Assessment Report (SAR), and Risk Exposure Table (RET)). We evaluate the CSP’s compliance with FedRAMP security requirements by performing a detailed review of documentation, conduct vulnerability scans and perform a penetration test. The primary deliverables are a completed SAP, SAR, and test results that are reported in compliance with FedRAMP and ISO standards.

    FedRAMP Readiness Assessment

    For CSPs looking to become FedRAMP Ready, we offer a FedRAMP readiness assessment to determine if the CSP is prepared for a full FedRAMP assessment. We review the CSP's security documentation, evaluate the implementation of security controls, and identify any gaps or areas needing improvement. We produce a Readiness Assessment Report (RAR), which outlines the CSP's compliance status and readiness for the full FedRAMP assessment. This report helps the CSP address deficiencies and ensures they meet initial FedRAMP requirements before undergoing a comprehensive security evaluation.

    DoD IL4, IL5 and IL6 Assessment

    For CSPs seeking a Department of Defense (DoD) Impact Level (IL4-IL6) authorization through the Defense Information Systems Agency (DISA) Provisional Authorization (PA) process. We conduct a thorough evaluation of the CSP’s security controls, ensuring they meet DoD IL requirements. This involves reviewing documentation, performing vulnerability scans, and conducting penetration tests. We compile our findings into a Security Assessment Report (SAR), which is submitted to DISA. The SAR helps DISA's Authorizing Official (AO) determine whether to grant the CSP a Provisional Authorization.

    FedRAMP Consulting Services

    FedRAMP Security Package Development For CSPs that have already decided to pursue a FedRAMP accreditation, we guide CSPs through the development and documentation of their security package. This includes helping the CSP understand FedRAMP requirements, implementing necessary security controls, and creating comprehensive documentation, such as the System Security Plan (SSP), policies, and procedures. Quality and completeness of documentation are essential to a streamlined accreditation process. Our team of experts will work with your subject matter experts to collect, consolidate, and articulate technical information to properly report control compliance. The primary deliverable is a completed set of required FedRAMP security documentation.

    Gap Assessment/Remediation Services

    We’ll conduct a gap analysis of a cloud solution’s compliance and risk posture relative to FedRAMP NIST 800-53 rev. 5 controls to provide risk-based recommendations to facilitate FedRAMP compliance. The primary deliverable is a gap report containing an identified list of deficiencies and recommended mitigations. For CSPs remediating system vulnerabilities, we provide cybersecurity IT project management and technical services to ensure on-time and on-budget implementation of remediation efforts. Our experts manage and execute projects to mitigate vulnerabilities that are inhibiting FedRAMP compliance. The primary deliverable for remediation is a FedRAMP-compliant cloud solution.

    Continuous Monitoring Services

    For accredited CSPs, we offer annual security assessments. We perform an abbreviated security risk assessment based on significant changes to the system’s configuration baseline. Other services include annual penetration testing and vulnerability scanning of operating systems/infrastructure, databases, containers and web applications. Primary deliverables include an updated SAR, monthly vulnerability scan findings and a monthly continuous monitoring report.

    Highlights

    • Proven Corporate Experience - The Booz Allen Commercial business specializes in advanced cyber defense and tackling the most critical cyber issues. In combination with our federal cyber practice, Booz Allen has the largest managed and professional security services business in North America. Booz Allen security experts are trusted in the U.S. Government’s most sensitive systems and in many of the Fortune 500 corporations around the world.
    • Authorized FedRAMP Third-Party Assessment Organization (3PAO) - Booz Allen is an authorized 3PAO, assessing clients and awarding them their certificates. Booz Allen has completed dozens of assessments since the FedRAMP Program was rolled out in 2012 and is a trusted partner in the success of the FedRAMP program and the FedRAMP ecosystem.
    • Our Cybersecurity Expertise is Internationally recognized: o Named 3x “Largest Global Supplier of Cyber Security” by Frost & Sullivan o Most Innovative MDR provider – Frost Radar 2022 o 7,000+ cyber experts with 7,000 certifications o Designed or Implemented 27 Fortune 500 Cyber Fusion Centers o 1000+ Crisis, Forensics, and Incident Response engagements annually o ALM Vanguard Best Cybersecurity Consulting Company

    Details

    Categories

    Delivery method

    Pricing

    Custom pricing options

    Pricing is based on your specific requirements and eligibility. To get a custom quote for your needs, request a private offer.

    How can we make this page better?

    We'd like to hear your feedback and ideas on how to improve this page.
    We'd like to hear your feedback and ideas on how to improve this page.

    Legal

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Software associated with this service