Scottsdale, Arizona, November 15, 2021 (Continuumgrc.com) – Continuum GRC, Inc. has been granted its FedRAMP Authorization by the Federal Risk and Authorization Management Program (FedRAMP) program.
Table of Contents
Toggle
“I’d like to personally thank the SBA’s Branch Chief for Security Policy & Compliance and Office of the Chief Information Officer, and those members of the FedRAMP PMO who supported our interesting use case. It has been our mission to help the small business community that is America's economic engine, and we are looking forward to doing great things together.” said Michael Peters, CEO of Continuum GRC.
The United States Small Business Administration (SBA) partnered with Continuum GRC for FedRAMP Authorization following an extensive period of evaluation of our tool. Their interest was how the tool scaled GRC capabilities to not only the SBA’s internal requirements, but also to the multitude of America’s small businesses they supported.
Continuum GRC is a software as a service (SaaS) product that is purpose built for companies and users who perform audit & compliance assessments, risk assessment & risk management, governance & policy development, and all other manner of audits and assessments.
To achieve FedRAMP authorization, cloud service providers (CSPs) offering SaaS, PaaS, or IaaS solutions must prepare a comprehensive System Security Plan (SSP), fully implement the applicable FedRAMP baseline security controls (based on NIST SP 800-53), and engage an accredited and FedRAMP-recognized third-party assessment organization (3PAO) for independent, rigorous security assessments.
The 3PAO conducts thorough evaluations of the CSP's cloud environment, including:
- Initial assessments to validate control implementation and produce a Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), and other required artifacts for the authorization package.
- Annual reassessments and ongoing continuous monitoring activities (e.g., vulnerability scanning, configuration reviews, and change impact analyses) to ensure sustained compliance.
- Impartial and conflict-free evaluations — FedRAMP prohibits the same 3PAO from both advising on SSP preparation and performing the official assessment to maintain independence.
Accreditation is granted by bodies such as the American Association for Laboratory Accreditation (A2LA), requiring demonstrated compliance with ISO/IEC 17020 standards, FedRAMP-specific technical proficiency (including proficiency testing in simulated cloud environments), annual reviews, and full on-site reassessments every two years.
Reputable providers such as Lazarus Alliance — a long-standing FedRAMP-accredited 3PAO (with successful recertifications and recognition on the FedRAMP Marketplace) — offer end-to-end support to streamline this process. Their services include:
- FedRAMP readiness assessments to identify gaps early and accelerate time-to-authorization (often reducing timelines by up to 46% compared to industry averages).
- Independent 3PAO audits leveraging advanced tools like the Continuum GRC IT Audit Machine (ITAM) for automated SSP development, evidence collection, and assessment execution.
- Continuous monitoring support, including annual reassessments and change management reviews.
- Similar expertise for related frameworks such as GovRAMP/StateRAMP, FISMA, and CNSSI 1253.
By partnering with an experienced 3PAO like Lazarus Alliance, CSPs can navigate the complex, mandatory independent validation requirements more efficiently, reduce costs, mitigate risks, and position their cloud services for federal (and state/local) contracts via the FedRAMP Marketplace.
This approach ensures not only regulatory compliance but also builds trust in a highly regulated ecosystem.
For more details on engaging Lazarus Alliance as your 3PAO partner, visit their FedRAMP services page or contact their team directly.
Related Posts