Our business solutions
“PwC delivers FISMA readiness, assessment, and audit services to major Federal agencies and large multinational companies, including cloud service providers.” – Henry Kramer, Federal Regulatory Assurance Leader
More and more, the government is turning to commercial business partners for critical mission and operations support. The opportunity is big, but heightened regulatory and security requirements must be fully understood-and met. And right now, many companies interested in federal business are unfamiliar with these requirements.
Our Federal Regulatory Assurance team includes IT professionals with deep federal regulatory, compliance, and controls experience. As federal compliance is often part of broader compliance challenges, we partner with PwC’s Integrated Compliance team to maximize our value to clients.
We’re ready, today, to help you refine your compliance roadmap so you can pursue and successfully service the public sector.
A path towards FISMA and Federal regulatory compliance
Compliance with the Federal Information Security Management Act (FISMA) is required of all federal agencies and all commercial entities that provide services to the Federal Government. Companies must have a control environment that meets FISMA requirements, which include required documentation. Additional federal regulations beyond FISMA may also be applicable.
Underscoring the government’s mandate, federal agencies are updating key policy documents to explicitly require FISMA and federal regulatory compliance of their contractors. Bottom line: Your company can’t do business with the Federal Government unless it meets federal control requirements.
Our professionals leverage their extensive FISMA and federal regulatory experience to help companies create a step-by-step FISMA and federal compliance roadmap. We can help you:
FedRAMP requirements for cloud service providers
To trim costs, the current Cloud First mandate requires federal agencies to strongly consider cloud services. In fact, roughly 25% or $20B of federal IT spending is earmarked for cloud computing migration.
Accordingly, commercial cloud service providers (CSPs) for federal agencies must meet Federal Risk and Authorization Management Program (FedRAMP) requirements. FedRAMP standardizes the approach to cloud-related security assessments, authorizations, and ongoing monitoring. The program uses a “do once, use many times” model, i.e., CSP certification can be applied across multiple potential customers to save time, money and resources.
CSPs must pass a required audit in order to receive FedRAMP certification. PwC is an accredited FedRAMP 3PAO (Third Party Assessment Organization), signifying that our firm has appropriate cloud security knowledge and methodology for performing cloud security assessments.
While guidance is still emerging, CSPs are encouraged to prepare now for compliance. CSPs are finding advance preparation necessary to ready their environment for the required audit, and do business with the federal government. And remember – compliance is not optional.
Our FedRAMP team includes cloud security, federal regulatory, and controls professionals. Partnering with PwC’s Cloud Assurance team, you will be well-prepared to meet federal cloud compliance requirements. Our team offers powerful support to help you:
A large software company identified the public-sector as a significant business opportunity for its cloud-based solutions. Having never previously contemplated federal information security requirements, the company sought assistance in evaluating its current control posture against FISMA and FedRAMP requirements and in identifying a prioritized list of gaps where remediation was necessary to meet the federal requirements. The company also had active requests for proposal from prospective customers and needed to achieve compliance quickly.
What we did:
PwC designed a readiness program that began with performing a gap analysis between the company’s integrated controls framework and the FISMA and FedRAMP requirements. Following readiness, PwC helped the software company identify ways to remediate gaps, create necessary federal documentation, prepare for an audit, and design a sustainable integrated controls framework. As new federal customers were identified, the company engaged PwC to perform individual gap analyses between the customer’s requested controls and the software company’s controls framework.