Third Party assessors play an integral role in the FedRAMP process.  Accredited independent assessors - Third Party Assessment Organizations (3PAOs) have demonstrated independence and technical competency required to test the security implementations and collect representative evidence.  Whether accredited through FedRAMP or not, third party assessors: 
  • Create a Security Assessment Plan
  • Perform initial and periodic assessments of CSP security controls
  • Conduct security tests and produce a Security Assessment Report

Third Party assessors validate and verify that evaluated CSPs meet FedRAMP requirements.  The resulting security assessment report and supporting evidence make up a key requirement for leveraging agencies to use FedRAMP security assessment package.

 

FedRAMP Overview

FedRAMP provides agencies and CSPs with a standard approach for conducting security assessments, and replacing varied and duplicative procedures across government.  The FedRAMP approach is based on an accepted set of baseline security controls and consistent processes that have been vetted and agreed upon by agencies across the federal government.

A key part of the FedRAMP process involves CSPs working with 3PAOs to validate and verify that the cloud systems meet FedRAMP requirements. FedRAMP accredits Third Party assessors through a robust conformity assessment process.  These accredited assessors are known as Third Party Assessment Organizations (3PAO). A 3PAO is essentially a cloud auditor - they perform initial and periodic assessments of cloud systems per FedRAMP requirements. This crucial action provides evidence of compliance with FedRAMP standards and plays an on-going role in ensuring cloud service providers meet applicable requirements. All FedRAMP provisional authorizations and CSP supplied packages must include an assessment by a FedRAMP accredited 3PAO to ensure consistency and transparency.

Share Your Experience with FedRAMP

Join the discussion with other Third Party Assessors working to meet FedRAMP requirements on the FedRAMP Forum.

 

Apply

Become an Accredited 3PAO

In order to become an accredited 3PAO under FedRAMP, candidate third party assessors must submit application materials demonstrating that they meet both technical competence in security assessment of cloud systems and management requirements for organizations performing inspections.  FedRAMP has approved, the private sector organization, American Association for Laboratory Accreditation (A2LA) to accredit FedRAMP Third Party Organizations (3PAOs). Through the use of technical experts as assessors and coordinating with the FedRAMP PMO, the A2LA assessment process involves a rigorous evaluation of technical competence of the 3PAOs, as well as an assessment of their compliance to the general requirements of ISO/IEC 17020.  The FedRAMP PMO, however, will remain as the sole authority to approve FedRAMP 3PAOs.  More information on working with A2LA and applying to become an accredited FedRAMP 3PAO can be found here.

The 3PAO accreditation program ensures that approved 3PAOs consistently perform security assessments with an appropriate level of rigor and independence. FedRAMP will only review security assessment packages from CSPs that have been assessed by an accredited 3PAO. Furthermore, only CSPs that use an accredited 3PAO are eligible for a Joint Authorization Board (JAB) Provisional Authorization.

 

Assess

Conduct a Security Assessment of a CSP

CSPs implement and document security controls as specified in the FedRAMP Security Control Baseline. Independent assessors perform initial and periodic assessment of Cloud Service Provider (CSP) systems implementation of FedRAMP security controls, provide evidence of compliance, and play an on-going role in ensuring CSPs meet FedRAMP requirements.  Once engaged with a CSP, 3PAOs develop Security Assessment Plans, perform testing of cloud security controls, and develop Security Assessment Reports.  Depending on the authorization granted, the Join Authorization Board, FedRAMP Information System Security Officers (ISSOs) and Agency ISSOs will extensively review these documents in determining whether to grant an authorization.