Skip to main content

Focus on FedRAMP

3PAO Proficiency Testing Activity Takes Effect in Phased Approach

FedRAMP and A2LA, in partnership with the Baltimore Cyber Range (BCR), is implementing a three-phased approach for FedRAMP Third Party Assessment Organizations (3PAOs) to pass the BCR Cybersecurity Technical Proficiency Activity.

It’s the responsibility of each FedRAMP 3PAO to ensure assessors participate in the testing activity and provide a Technical Proficiency Activity Participation Plan to A2LA (FedRAMP@A2LA.org) and the FedRAMP PMO (info@fedramp.gov). The Technical Proficiency Activity Participation Plan is due to A2LA and the FedRAMP PMO by February 1, 2019. This plan must include timeframes in which organizational assessment teams will comply with Phase 1 and 2 as well as delineate assessment team member roles (Senior Representative, Junior Tester, Quality Representative, Penetration Tester, etc.).

Phase 1 requires a single FedRAMP 3PAO team of 3-5 assessors to pass the BCR activity by March 1, 2019. Each assessment team must include one Senior Representative and one Quality Representative, as defined in Section 6.1 - Personnel of the A2LA R311 - Specific Requirements: FedRAMP.

3PAOs are encouraged to contact A2LA (FedRAMP@A2LA.org) as soon as possible to set up a testing time.

Phase 2 requires all remaining FedRAMP 3PAO teams to pass the BCR activity by July 31, 2019. Similar to Phase 1, assessment teams must be comprised of at least one Senior Representative and one Quality Representative, as defined in Section 6.1 - Personnel of the A2LA R311 - Specific Requirements: FedRAMP. If a 3PAO fails to comply with either of the Phase 1 or Phase 2 requirements, the FedRAMP PMO may revoke the organization’s FedRAMP recognition status.

In Phase 3, 3PAOs must ensure individual assessors recertify, every 12 months, after an assessor successfully passes the BCR Cybersecurity Technical Proficiency Activity. This information must be included within each 3PAO’s respective Technical Proficiency Activity Participation Plan and provided to A2LA (FedRAMP@A2LA.org) and the FedRAMP PMO (info@fedramp.gov).

If you want to learn more about these updates, please read our BCR Phased Participation Requirements document or reach out to info@fedramp.gov.