Review and create FedRAMP compliant systems security documentation. This documentation includes, but is not limited to, a System Security Plan (SSP), Contingency Plan, and a Control Implementation Summary. These documents may also be leveraged in support of the organization's Authority to Operate (ATO).

Full Assessment

​Review all system documentation to ensure all NIST SP 800-53 and organizational security controls are in place. Our assessors will interview necessary stakeholders to confirm policy implementation and gather applicable evidence. These actions will also include vulnerability and penetration testing of the environment. At the conclusion of this phase, the package will be submitted to either the sponsoring federal agency or the Joint Authorization Board (JAB).

Continuous Monitoring

Mitigate the assessment findings by working with the system owners to update any policy or procedures that are non-compliant. MBL will also work with network administrators to recommend remediation processes for technical vulnerabilities.

Annual Assessment / Monthly Scanning

To perform monthly scanning of the environment in support of the FedRAMP continuous monitoring requirements, this phase will include an annual assessment of 1/3 of the information system's security controls.

​FedRAMP Ready Work

To conduct a readiness assessment, which would result in identifies gaps for mitigation as you move into the assessment preparation/pre-assessment phase.




     How we support your business

MBL is a certified FedRAMP Third-Party Assessment Organization (3PAO).

MBL offers a standardized approach for conducting required security assessments of Cloud Service Providers (CSPs) providing services to federal agencies. 

Through our assessment process, MBL employs the same care and expertise our clients have come to expect, while safeguarding and securing the transmission and storage of Federal data. MBL has a uniquely qualified team with members that have served as Subject Matter Experts (SME)s for government agencies pursing cloud systems. Our staff are expert in all forms of classification (e.g. private, public or hybrid) and sensitivity levels (e.g low, moderate).