Readiness Assessment (RAR) - Vesta conducts a pre-assessment (referred to as a "Readiness Assessment") as an important first step to helping our clients identify any critical gaps in technical capabilities, process maturity, and security documentation currency. The Readiness Assessment provides a level of assurance, to the FedRAMP PMO and/or the federal agency that is sponsoring the client, that the client would be able to achieve either a FedRAMP Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) or an Agency FedRAMP Authority to Operate (ATO) within six months of attaining a favorable "FedRAMP Ready" designation. Although a Readiness Assessment is not required for an Agency FedRAMP ATO, it is required for clients pursuing a FedRAMP JAB P-ATO. Vesta recommends clients confirm with their federal agency sponsor if they require a FedRAMP Readiness Assessment.
Advisory/Consulting - Vesta offers advisory/consulting services to clients as a basic part of the engagement. Our advisory/consulting service is designed to go beyond just "checking off the box" to meet FedRAMP requirements and help clients "pass the audit/assessment". We encourage our clients to participate as collaborators rather than spectators. We believe strong client involvement provides business value because it helps clients become familiar with and adopt the security best practices that are leveraged to define FedRAMP requirements and processes. As part of our advisory/consulting services, Vesta develops "from scratch" the key security documentation such as System Security Plan (SSP), Configuration Management Plan (CMP), Incident Response Plan (IRP), Information System Contingency Plan (ISCP), policies and procedures, etc.
Some of the key components for which Vesta provides advisory/consulting are:
-defining system (authorization) boundary; network segmentation, tenant isolation, application partitioning
-defining system environment - system inventory and architecture, network diagrams, data flow
-determine if FIPS-validated cryptographic modules are being used for data-at-rest, data-in-transit
-determine if multifactor authentication mechanisms are implemented; Personal Identity Verification/Common Access Card (PIV/CAC) support
-process maturity and automated mechanisms - i.e. patch management, vulnerability management, configuration management/change management, vendor risk management, records management, incident response, contingency planning/business continuity/disaster recovery, security awareness training, onboarding and termination procedures, continuous monitoring
-determine if DNSSEC implemented
-separation of duties/least privilege
-malware protection and intrusion detection/prevention