Cofense - Security Awareness Training & Email Threat Detection

Cofense PhishMe: Our FedRAMP Journey

Share This Article

By Andrew Ledford

What is FedRAMP 

FedRAMP is the Federal Risk and Authorization Management ProgramIt was developed following President Barack Obama’s policy, International Strategy for Cyberspace and Cloud First, which encourages the federal adoption and use of information systems operated by cloud service providersThe development of FedRAMP was achieved collaboratively with the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS), state and local government, and others.  

Consistent with the Cloud First policy, federal agencies were encouraged to utilize cloud-based information systems operated by cloud service providers. NIST, which maintains the NIST SP 800 series of computer security publications, publishes NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This is the control catalog used for federal information systems and organizations; it contains the requirements for FedRAMP. 

The key goals of FedRAMP are to accelerate the government’s adoption of secure cloud solutions and reuse assessments and authorizations across agencies. These are accomplished through cloud service providers creating a single Authority to Operate (ATO) package, a single security assessment by an independent third-party assessment organization (3PAO), and a single set of Plan of Actions and Milestones (POA&Ms) which each agency can then access, review, and issue an ATO for on OMB Max. U.S. government agencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515). 

 For additional information on FedRAMP refer to 


Both FedRAMP and FISMA are based on the NIST SP 800-53 control catalog. This catalog includes hundreds of controls and control enhancements. The applicability of these controls is determined by the types of data the system is being used to store and process, as well as the criticality of that information system to accomplish the organization’s mission. FISMA applies to agency managed systems including on-premises systems, whereas FedRAMP applies to cloud systems managed by external cloud providers. The main differences between FedRAMP and FISMA requirements are detailed in the table below.  

Baseline  NIST SP 800-53 Controls¹ Other Requirements 
FISMA Low  124  N/A 
FISMA Moderate  261  N/A 
FISMA High  343  N/A 
FedRAMP Low Impact SaaS (Li-SaaS)  36² Independent Assessor³ required to perform control assessment 
FedRAMP Low  125  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

FedRAMP Moderate  325  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

-Independent Assessor³ required to perform penetration testing 

FedRAMP High  421  -Independent Assessor³ required to perform control assessment 

-Independent Assessor³ required to perform infrastructure, database, and web application vulnerability scans 

-Independent Assessor³ required to perform penetration testing 

FedRAMP requires independent assessments to ensure the integrity and consistency of the security assessments.  

Why did Cofense decide to pursue FedRAMP 

The federal government is experiencing an increase in phishing attacks which has been exacerbated by COVID-19 and teleworking. Agencies are looking for intelligent ways to defend against these attacks. In September 2020, NIST announced the development of Phish Scale  to “help organizations better train their employees to avoid a particularly dangerous form of cyberattack known as phishing.” Cofense provides phishing defense solutions created to address that particular attack threat. 

Cofense’s government agency customers using PhishMe were performing their own security assessments and ATOs. These assessments, and sometimes thousands of pages of ATO documentation based on agency requirements, increase the time and complexity of using Cofense PhishMe. Agencies were left without a key phishing detection capability. Our customers sought a way to implement our phishing defense solution quickly and securely. 

Based on our customers’ use cases for the Cofense PhishMe product, we determined that our system would be handling personally identifiable information (PII). It would serve as an essential protection to agencies; this resulted in Cofense PhishMe being categorized as a FedRAMP Moderate system based on Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and the accompanying NIST SP 800-60 Volume II, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. See Cofense’s blog on Why ‘Moderate’ Matters for details. 

How did Cofense approach FedRAMP 

Cofense evaluated our customers and the FedRAMP requirements, and determined that building out a dedicated FedRAMP environment for federal agencies would best meet these requirementsThe Cofense PhishMe FedRAMP environment is deployed on AWS GovCloud, operated with U.S. citizens on U.S. soil.  

Cofense’s FedRAMP environment is a government-community cloud with appropriate logical separations, authentication mechanisms meeting the NIST 800-63-3 Digital Identity Guidelines for FedRAMP Moderate systems, vulnerability management, continuous monitoring and more. 

When asked how Cofense went about the FedRAMP journey, Keith Ibarguan, Cofense Chief Product Officer, said, “On the surface, it might seem that you just take your code, run it through the gauntlet and, voila, out the other side, you have an ATO. That’s definitely not the case. We worked really hard to put the software in a position where we can manage and maintain the code in the most efficient manner. We refactored everything. We uplifted the software libraries and approaches to even deploying the code end to end, across the board.”

Cofense engaged the leading FedRAMP 3PAO to conduct the assessment of Cofense PhishMe, which included an independent evaluation of the following: 

  • Cofense’s implementation of the 325 FedRAMP Moderate NIST SP 800-53 Controls 
  • Cofense’s vulnerability management practices by conducting independent vulnerability scans 
  • Cofense’s web application security practices by performing independent penetration testing 


Cofense PhishMe is now FedRAMP Moderate AuthorizedWe’re excited to offer our managed PhishMe FedRAMP product to support federal defense against phishing attacksAgencies can request access to the Cofense FedRAMP ATO package using this form (Package ID #FR2013059515) or contact Cofense directly. 


¹ 36 testable controls. Other controls are required to be attested to. 

² JAB P-ATO require that a 3PAO be used. Agencies are encouraged to use a Third-Party Assessment Organization. 

³ 3PAO as the Independent Assessor to form the CSP’s assessment. 


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.