Federal Risk and Authorization Management Program (FedRAMP) and Federal Information Security Management Act (FISMA) were developed as a framework for assessing cloud security and to be used for granting an agency the Authority to Operate (ATO). In addition to individual agency requirements, both of these, FedRAMP and FISMA, have a different authorization processes and requirements for maintaining one’s ATO. ​S4's support consists of the following independent assessment services for each cloud environment:

Assessment of system security controls as noted in the Cloud Service Provider (CSP) Control Implementation Summary (CIS)/Customer Requirements Matrix (CRM), System Security Plan (SSP) and documented in the Customer Controls System Security Plan (SSP)

• Review and analysis of vulnerability scan results.
  
• Conduct a risk assessment based on findings of the security controls assessment.
  
• Develop the Security Assessment Report (SAR).
  
• Document the Plans of Actions & Milestones (POAMs).
  
• Support the development of the Executive Summary.
  
• Management on the security posture of the Cloud environment based on the findings of the security assessment and recommend corrective actions begin with a narrative paragraph describing the scope of work covered by this Performance Work Statement (PWS). 

Cloud Security