FedRAMP just made a post, reminding Cloud Service Providers (CSPs) like CORAS of our responsibilities regarding annual security assessments. It reminds me that some readers may not be aware of the requirements CORAS carries for our FedRAMP High authorization.
You may know that CORAS meets with our FedRAMP representative every second week. During that time, we review our Continuous Monitoring (aka ConMon) reports, as well as any concerns the supporting members of the FedRAMP team have about our environment. These meetings ensure both parties (CORAS as the CSP, FedRAMP as the government member) are in synchronization and stay in front of any issues.
CORAS also submits a monthly report to FedRAMP, a set of files that makes up our aforementioned ConMon. These files include our Plan of Action & Milestones (POA&M), a document listing security tasks we need to perform, security scans of our environment, and other forms/documents about the environment. FedRAMP takes these forms and analyzes them to ensure our security standards are met.
Finally, each year CORAS needs to work with our Third-Party Assessing Organization (3PAO) to perform a deep-security dive within CORAS. As expected, this assessment includes verification of the hardening of our systems and our general security posture. As you may NOT expect, this assessment includes checks of our backend systems and process, such as ongoing security training, background checks of employees, and other non-technical areas where we could have a security breach.
I was just speaking with our FedRAMP contact concerning our reassessment. We've scheduled ours for later this Spring, staying well ahead of our required dates. CORAS takes our government security responsibilities seriously and continues to improve what we're doing to keep the government's data secure.
If you'd like to rea more blogs like this follow the author Matt Walters on LinkedIn or stay tuned for more blogs from him!