Third Party assessors play an integral role in the FedRAMP process.  Accredited independent assessors - Third Party Assessment Organizations (3PAOs) have demonstrated independence and technical competency required to test the security implementations and collect representative evidence.  Whether accredited through FedRAMP or not, third party assessors: 
  • Create a Security Assessment Plan
  • Perform initial and periodic assessments of CSP security controls
  • Conduct security tests and produce a Security Assessment Report

Third Party assessors validate and verify that evaluated CSPs meet FedRAMP requirements.  The resulting security assessment report and supporting evidence make up a key requirement for leveraging agencies to use FedRAMP security assessment package.

 

FedRAMP Overview

FedRAMP provides agencies and CSPs with a standard approach for conducting security assessments, and replacing varied and duplicative procedures across government.  The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government.

A key part of the FedRAMP process involves CSPs working with 3PAOs to validate and verify that the cloud systems meet FedRAMP requirements. FedRAMP accredits Third Party assessors through a robust conformity assessment process.  These accredited assessors are known as Third Party Assessment Organizations (3PAO). A 3PAO is essentially a cloud auditor - they perform initial and periodic assessments of cloud systems per FedRAMP requirements. This crucial action provides evidence of compliance with FedRAMP standards and plays an on-going role in ensuring cloud service providers meet applicable requirements. All FedRAMP provisional authorizations or security assessment packages submitted by CSPs must include an assessment by an accredited 3PAO to ensure consistency and transparency.

Share Your Experience with FedRAMP

Join the discussion with other Third Party Assessors working to meet FedRAMP requirements on the FedRAMP Forum.

 

Apply

Become an Accredited 3PAO

In order to become an accredited 3PAO under FedRAMP, candidate third party assessors must submit application materials demonstrating that they meet both technical competence in security assessment of cloud systems and management requirements for organizations performing inspections.  FedRAMP has approved American Association for Laboratory Accreditation (A2LA) to accredit FedRAMP Third Party Organizations (3PAOs). Through the use of technical experts as assessors, the A2LA assessment process involves a rigorous evaluation of technical competence of the 3PAOs, as well as an assessment of their compliance to the general requirements of ISO/IEC 17020.  More information on working with A2LA and applying to become an accredited FedRAMP 3PAO can be found here.

The 3PAO accreditation program ensures that approved 3PAOs consistently perform security assessments with an appropriate level of rigor and independence. FedRAMP will only review security assessment packages from CSPs that have been assessed by an accredited 3PAO. Furthermore, only CSPs that use an accredited 3PAO are eligible for a Joint Authorization Board (JAB) Provisional Authorization.

 

Assess

Conduct a Security Assessment of a CSP

CSPs implement and document security controls as specified in the FedRAMP Security Control Baseline. Independent assessors perform initial and periodic assessment of Cloud Service Provider (CSP) systems implementation of FedRAMP security controls, provide evidence of compliance, and play an on-going role in ensuring CSPs meet FedRAMP requirements.  Once engaged with a CSP, 3PAOs develop Security Assessment Plans, perform testing of cloud security controls, and develop Security Assessment Reports.  Depending on the authorization granted, the Join Authorization Board, FedRAMP Information System Security Officers (ISSOs) and Agency ISSOs will extensively review these documents in determining whether to grant an authorization.

Discuss

Join the discussion on the FedRAMP forum

By using this service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Cloud.cio.gov moderates comments prior to their posting and comments deemed in violation of this rule will not be posted.

Sean Cope

Publicly Display CSPs that have successfully completed the FedRAMP Initiation Phase.

As a suggestion, it would be advantageous to the FedRAMP community to provide information of Cloud Service Providers (CSPs) that have successfully passed the FedRAMP Initiation phase on the FedRAMP website. Information could be supplied to the FedRAMP website at the end of CONOPS section 6.1 - Initiating a Request.

To build upon this idea, Initiated CSPs could be place in a designated section like the current ‘In Process’ section, but a CSP email contact could be provided so that interested Government Agencies/3PAOs could reach out to/provide capabilities materials.

Additionally, Government Agencies would have an understanding of what types of Cloud Services are in the queue ahead of time. This would provide a means in which an Agency could sponsor a Cloud Service Provider and place the Cloud Offering into the ‘Priority Queue’ due to the Agency’s needs.

Sean Cope – Homeland Security Consultants

2 replies

William Barker

I also like this approach. As a COR for one of the major telecommunications contracts GSA holds, we have service providers (major carriers) interested in providing cloud services to federal agencies.

Kathleen Fischer

Sean - I like this approach. It builds momentum; this will benefit the CSPs, Agencies evaluating cloud solutions, and the FedRAMP PMO and 3PAOs.

Kathleen Mayer Fischer - QinetiQ North America