Working with FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Hyperproof offers a NIST 800-53 program template you can use to quickly and easily stand up your program. See Creating a program with illustrative controls. Keep in mind that depending on the baseline you select, your NIST program may have more or fewer requirements. For example, if you create a program with a moderate baseline, moderate and low-level requirements will be included in your program.
Note
The program's baseline level doesn't always match the baseline level listed for an individual requirement. In some cases, requirements with a different baseline are considered part of the same program baseline.
Tip
Follow Hyperproof on our journey to FedRAMP ATO! Check out the podcast and accompanying documentation.
Generating a SSP report
Roles and permissions
The following roles can export a SSP report:
Administrators
Compliance managers who are members of the program
Users who are members of the program
You can quickly and easily generate a System Security Plan (SSP) report for your program. The SSP report provides an in-depth overview of the security requirements for your organization’s information system. Furthermore, the report describes all of the controls that your organization has in place for meeting its security requirements.
Note
In Hyperproof, the SSP report properties come from your program’s requirements, not the controls. If you link additional controls to your program, those controls do not show up in or alter the SSP report in any way.
From the left menu, select Programs.
Select your program.
It's recommended to edit any requirement information in Hyperproof prior to exporting the SSP report. This ensures that the information in Hyperproof is the source of truth, i.e. if you need to export the SSP report in the future, the information in Hyperproof is up-to-date. To edit a requirement:
Select the Requirements tab.
Select a requirement, then select the Details tab.
Make any necessary edits.
Repeat steps B and C as necessary.
Select the ... (More options) tab, and then click Export SSP report.
Excluding not-applicable requirements
Follow the steps below to exclude not-applicable requirements from your FedRAMP report.
Select the Requirements tab.
Select a not-applicable requirement, then select the Details tab.
Scroll to DOCX export settings.
Clear the Include requirements in document exports checkbox.
Repeat steps 2 - 4 as necessary.
Tip
Hyperproof is working on a bulk edit feature that allows for the easy selection and exclusion of multiple not-applicable requirements at once.
Bulk edit non-applicable requirements
To exclude a large number of requirements from your SSP report, follow these steps:
Tip
You can click the checkboxes under the DOCX column to include or exclude the requirement, or you can use the bulk edit options as described in the following steps. A checkmark in the DOCX column indicates that the requirement should be included in the SSP report.
From the left menu, select Programs.
Select the program for your SSP report.
Select the Requirements tab.
Click the Grid View icon to make sure the requirements show in a grid format.
Click the checkboxes to the left of the requirements where you want to edit the Include requirements in document exports option.
The Include requirements in document exports column on the grid displays as DOCX. If you don't see that column, click the Gear icon to access the Settings and turn on the DOCX column.
Click the Include in DOCX link at the top of the page.
The Include in DOCX confirmation window displays.
To include all of the selected requirements, make sure the checkbox in the confirmation window is checked.
To exclude all of the selected requirements, make sure the checkbox in the confirmation window is cleared.
Note
If the Include requirements in document exports checkbox contains a gray square, this indicates that some of the selected requirements are currently set to be included and others are set to be excluded. Click the checkbox multiple times until you reach the setting you want for ALL of the selected requirements.