From Readiness to Validation: Lessons Learned from the Security Assessment Process

Adam_Chun_Headshot

ADAM CHUN

Director of Cybersecurity & Compliance

Emagine IT

Drew Forbes - Headshot

DREW FORBES

Manager, Fortreum Assurance Services

Fortreum

Security assessments require coordination across technical, operational, and organizational teams to ensure systems are properly scoped, documented, and implemented. Clear expectations, accurate evidence, and effective communication all play a role in keeping assessments on track. 

To provide insight into what makes assessments succeed or stall, GovRAMP convened two experienced third-party assessment organization (3PAO) leaders who work closely with cloud service providers (CSPs) across the full assessment lifecycle: Adam Chun, Director of Cybersecurity and Compliance at Emagine IT, and Drew Forbes, Manager at Fortreum Assurance Services. Together, they bring firsthand perspective on what assessors look for as organizations move from readiness through validation and authorization. 

In the Q&A below, they share lessons learned from the security assessment process, including recurring gaps, early indicators of readiness, common misconceptions, and guidance providers can apply when preparing for an assessment.

 

Q: Across your portfolio, what reoccurring gaps or deficiencies do you see when cloud service providers enter readiness or full authorization assessments?  

Adam Chun: We often see that CSPs have not made the necessary efforts to fully understand data flows or properly scope the authorization boundary. When beginning the GovRAMP compliance process, I’s important to take intentional steps to understand the system’s intended functionality and how it serves customers. Properly scoping the authorization boundary and documenting data flows early sets the stage for effectively architecting and implementing required controls.

As development continues, it is important to update the scope as changes occur. This step is often overlooked, which can result in deficiencies being identified later during the assessment.

Drew Forbes: Many issues arise from business priorities competing with regulatory requirements. CSPs may engage a 3PAO while the system is not yet fully built or before major features that impact security controls are implemented. Attempting to add last-minute functionality often creates delays.

Documentation gaps are also common. Data Flow Diagrams and Boundary Diagrams frequently do not meet the level of detail required by established guidance. Other recurring gaps include the use of non-authorized external service providers, configuration issues tied to secure baseline practices, outdated or expired encryption protocols, application vulnerabilities such as cross-site scripting (XSS) or cross-site request forgery (CSRF), and end-of-life operating systems that persist due to continued functionality.

In some cases, systems previously authorized under other frameworks carry forward POAM items from continuous monitoring that have exceeded established timelines, increasing aggregate risk. More recently, we’ve also seen CSPs implement AI capabilities without appropriate change management or validation, resulting in incomplete testing and missing fundamental security checks such as prompt injection testing.

“Properly scoping the authorization boundary and documenting data flows early sets the stage for effectively architecting and implementing required controls.”

Q: What early indicators (technical, operational, or cultural) signal that a cloud service provider is well-positioned for a successful assessment? 

Adam Chun: Well-positioned CSPs don’t view assessments as a one-time verification exercise. Instead, they apply required controls and security principles across the organization. This approach often drives a broader security-first cultural shift.

These providers demonstrate cross-functional awareness among teams responsible for implementing and maintaining controls. That alignment typically starts with leadership clearly committing to the effort, communicating expectations, and defining goals early in the process.

Drew Forbes: Early indicators include a well-written System Security Plan (SSP) and detailed architecture diagrams, with Cryptographic Module Validation Program (CMVP) certificates clearly mapped to the cryptographic modules in use.

There is also a strong working relationship between engineering and compliance teams, with both demonstrating a high level of technical understanding. External interconnections, vendor dependencies, and supply chain relationships are thoroughly documented, and initial artifacts submitted during readiness checks are complete and high quality.

Q: What misconceptions do cloud service providers commonly have about the GovRAMP assessment process, and how does clarifying these early help teams move more efficiently?

Adam Chun: A common misconception is that the assessment process is primarily a documentation review and that the system does not need to be fully operational. While documentation is critical, the system must be operational for assessors to validate that controls are implemented and functioning as defined.

Assessors aren’t just reviewing screenshots. We walk through configurations directly, validate settings through command-line and perform penetration testing to confirm controls operate as intended.

Drew Forbes: Another misconception is understanding the value of early readiness activities, such as a Readiness Assessment Report (RAR) or a security snapshot review. These efforts establish trust and give teams an opportunity to remediate issues before a formal assessment begins.

Some providers also assume assessment expectations will be universally aligned. While GovRAMP verification provides a strong, reusable security foundation that many states rely on, individual states may implement GovRAMP within their own policy and procurement frameworks or include additional requirements. When these expectations are discussed early in the process, teams can plan appropriately, account for any state-specific needs, and avoid unnecessary rework later in the assessment lifecycle.

“When these expectations are discussed early in the process, teams can plan appropriately, account for any state-specific needs, and avoid unnecessary rework later in the assessment lifecycle.”

Q: When assessments hit friction points, what differentiates teams that navigate challenges effectively from those that struggle to regain momentum?

Adam Chun: Maintaining a direct and open line of communication is key to providing critical feedback during an assessment. Disagreements can arise regarding whether a control is compliant, but teams that listen, ask clarifying questions, and remain open to feedback are more likely to reach resolution efficiently. These practices also strengthen working relationships between CSPs and assessors.

Drew Forbes: Communication is critical throughout the assessment. Risks related to evidence gaps, delays, or high-severity findings should be communicated early so remediation can begin promptly.

CSPs also need to be open to feedback. Assessment findings are not personal critiques—they’re opportunities to reduce risk. From the assesor perspective, using subject matter experts or focused “tiger teams” can help address complex issues without stalling the overall assessment timeline.

Q: What stages of the assessment lifecycle commonly take longer than cloud service providers anticipate, and what proactive preparation mitigates delays? 

Adam Chun: Evidence collection and risk remediation often take longer than CSPs expect. Depending on system categorization, evidence requests can number in the hundreds. Maintaining continuous monitoring practices helps make evidence generation more efficient.

Risk remediation is equally important. A high volume of unresolved risks can delay assessment closeout, making vulnerability management and prioritization essential throughout the process.

Drew Forbes: Artifact gathering is frequently the longest phase, particularly when teams attempt to build documentation as they go. Scan finalization and flaw remediation can also cause delays, especially when these activities intersect with existing internal processes.

Authentication issues are another common challenge. Inconsistent authentication, insufficient access permissions, or incomplete system coverage can slow progress. CSPs should verify that credentials provide administrative access and that the majority of the system inventory is consistently covered before assessment activities begin.

Q: What evidence-based guidance would you offer cloud service providers entering the GovRAMP assessment journey for the first time? 

Adam Chun: CSPs should consider entering the GovRAMP Security Snapshot Program or engaging advisory support if internal experience is limited. Advisors, along with the GovRAMP PMO, can help clarify expectations and guide preperation.

Many CSPs equate GovRAMP to SOC or ISO efforts. While GovRAMP is achievable with dedicated teams, its requirements and structure introduce additional coordination, documentation, and validation considerations that may require teams to adjust timelines or revisit scope without prior experience navigating the framework. Because 3PAO assessments represent a meaningful investment, early preparation and a clear understanding of expectations help control both cost and time.

Drew Forbes: Engaging a qualified advisory firm can help tailor preparation efforts to a CSP’s specific environment. When feasible, using a structured GRC system or repository can also support consistent artifact collection and control implementation. Before a full assessment, CSPs should consider internal pre-testing or external readiness reviews. These lower-cost evaluations can identify critical issues early and prevent major disruptions during the formal assessment phase.

Closing Thoughts

Across each response, a consistent theme emerges: successful security assessments are grounded in preparation, communication, and a clear understanding of expectations. Providers that invest early in scoping, documentation, and cross-functional coordination are better positioned to move through the assessment process efficiently and with fewer disruptions. 

The insights shared by Adam Chun and Drew Forbes reflect what assessment teams see across organizations every day. When providers approach GovRAMP as part of an ongoing security program rather than a one-time milestone, assessments become more predictable and far less reactive. 

GovRAMP’s framework is designed to support this approach by providing clear requirements, structured pathways, and opportunities for reuse. By engaging early, aligning teams, and addressing gaps proactively, cloud service providers can navigate the assessment process with greater confidence while supporting secure, consistent technology adoption across the public sector. 

Meet Our Panelists

Adam Chun is the Director of Cybersecurity & Compliance at Emagine IT (GovRAMP 3PAO) and serves as the Practice Lead overseeing all advisory, assessment, and penetration testing services. Adam is experienced in helping organizations achieve their compliance goals since Emagine IT’s 3PAO accreditation in 2015.

Over 20 years of GRC/compliance experience with multiple frameworks including GovRAMP, FedRAMP (from the beginning aka GSA BPA for AWS), FISMA, HiTrust, DISA/DoD SRG, DIACAP, DITSCAP, and ICD 503; hold or have held certifications, including ISC2 CRISC, HiTrust CCSFP, CompTIA Security+, ISACA CISA, and ISC2 CISSP. Functioned at multiple levels/roles including technical assessor/auditor, SME, Manager, and Director, interacting with CSPs, assessors, and AOs (e.g., FedRAMP JAB, DoD, Air Force, DHS, GSA, Army INSCOM, etc.).