Rapid Certification
How to get started using RegScale for Rapid Certification
Build Program
Framework
- Pick a Framework (e.g. FedRAMP, NIST SP-800-53, NIST Cybersecurity Framework) and import the catalog
Categorization (Risk Management Framework) / Select Controls (Risk Management Framework)
The categorize step informs RMF processes by determining impacts on Confidentiality, Integrity, and Availability (CIA) of systems. The Select step allows controls to be selected and tailored based on the risk to the system and its categorization.
- Create a Profile from the catalogue
- Create a security plan
- Optional - Use the information types classifications to set categorization
- Optional - Use a Categorization Engine to apply profiles
- Manually apply a profile to the security plan
Implement Controls (Risk Management Framework)
The Implement step defines how the controls are executed for the system and organization.
- Capture the control implementations statuses and implementation statements
- Optional: Import a FedRAMP-formatted SSP to populate these control implementations
- Optional: Import control implementations recorded in a spreadsheet
- If this Security Plan is meant to be inherited, mark the controls “Inheritable”
- If for FedRAMP, ensure that the FedRAMP tab is completed in the Security Plan record
- Leverage RegML Auditor to write control implementation statements
- Leverage RegML Extractor to parse policies to write control implementation statements.
- Leverage integrations (Wiz, Crowdstrike, Tenable, etc.) to set control implementation statuses
Leveraged Authorizations
For FedRAMP, or other situations where a third party is providing many control implementations, RegScale enables use of inheritance to maximize reuse. Refer to the Control Implementation Summary / Customer Responsibility Matrix (CIS/CRM) or similar documentation from the provider on what controls they implement. Create a Security Plan as above and apply only the controls outlined in the CRM. When marking the control implementations, mark them as "Inheritable".
Once the "parent" security plan is created, create a "child" security plan and use the builder to inherit the "parent" security plan. That will mark the inheritable controls as "inherited" in the dashboard
Assess Program
Assess Controls (Risk Management Framework)
This Assess step provides assurance that controls are implemented correctly, operating as intended, and producing the desired security/risk outcomes.
Gather Evidence
- Collect Evidence for Control Implementations
- Use Evidence Locker to map common evidence to multiple controls
Initial Assessment
- Create a Continuous Monitoring (ConMon) record for the “Initial Assessment”
- Capture the SAP elements in the ConMon record.
- Complete the FedRAMP (SAP/SAR) tab in the ConMon Record
- Conduct the Assessment
- For FedRAMP - Export Security Plan, Security Assessment Report (SAR) and appendices
Fix Problems
Monitor Controls (Risk Management Framework)
The Monitor step provides situational awareness about the ongoing security and risk posture of the system over time.
- Import vulnerability scanners results using the integrations
- These create RegScale - Assets, Asset linked Scan Histories, Asset SBOM (where available), Asset linked Vulnerabilities, and Security Plan linked Issues/POA&Ms
- Compare current vulnerability scan results to previous scan results
- Update POA&Ms
- Work on Security Plan-based Issues/POA&Ms and mark any completions
- Add Deviation Report if needed (Need Storylane)
- FOR FedRAMP: Export POA&Ms, Risks, Inventory, and Deviation Report (if needed)
Updated about 1 month ago