For each cloud system, agencies should review the implemented security controls, and perform a gap analysis using the FedRAMP security control baseline to identify which security controls are missing. FedRAMP security controls are listed on www.fedramp.gov in the form of an Excel spreadsheet and are summarized in the System Security Plan template.
Quzara can perform a CSP FedRAMP gap analysis that provides an overview of technical gaps identified from a readiness assessment standpoint and begin a roadmap with recommendations on the FedRAMP accreditation path. Our report will identify potential deficiencies or lack of controls that could result in a failure to comply with FedRAMP and National Institute of Standards and Technology (NIST) requirements. We also recommend solutions and processes necessary to meet the FedRAMP requirements prior to completing the 3PAO security assessment.
A gap analysis identifies which new security controls must be implemented on the respective cloud system. The gap analysis can serve as an agenda item for meetings between the cloud service provider and the agencies to prioritize which items are most relevant for the ATO.
Agencies will need to work in concert with their CSPs to implement missing security controls required by the FedRAMP baseline.