Skip to main content

Focus on FedRAMP

FAQs on Updated R311 Requirements

Since we released updates to the “R311-Specific Requirements: FedRAMP” on November 6th, which include new and strengthened qualifications for existing and new 3PAOs, we have received a number of questions from 3PAOs. In order to help 3PAOs fully understand what is required of them, we’ve drafted the FAQs below for your reference. If you have any additional questions that are not answered here, please feel free to reach out to info@fedramp.gov.

Question: R346 suggests a 4-hour review time for a subset of 20 controls, is there a time limit for finalizing the abbreviated Security Assessment Report (SAR)?

Answer: Yes, the 4 hour time limit includes the completion of an abbreviated SAR and also a Risk Exposure Table (RET).

Question: Will the abbreviated SAR and RET formats be shared prior to testing?

Answer: No, these documents will only will be presented at the time the activity begins.

Question: All work will be done on BCR hardware. What else do we need to know before taking this test?

Answer: Prior to the activity testing, team members must bring a copy of the BCR Assessor Class Instructions that was provided by A2LA via email. Each team member is required to sign the form before beginning the activity.

Please arrive at the testing location at least 15-30 minutes early to ensure team members can begin the exam on time. Team members must bring a photo ID with a signature (e.g., a driver’s license) and remove all electronic devices in their possession. Team members are only permitted to bring paper notes into the testing area.

Question: Will the corporate methodology and team analysis and discussion be monitored?

Answer: The testing is conducted in BCR spaces, and all assessors are escorted / monitored by a BCR test proctor until the activity concludes. However, this is not a test of corporate methodology, but an assessment of individual teams’ ability to decipher the intent of security controls.

Question: What type of cloud system will be tested?

Answer: The cloud system is a custom built, small network consisting of four physical servers, a router, firewall switch, control terminal, and active directory domain.

Question: How many technical proficiency activity test versions exist? How many versions will be used in this initial Phase 1?

Answer: Each activity is unique; the BCR team draws from about 100 NIST SP 800-53 R4 security controls, some of which have FedRAMP specific specifications and requirements fully defined. The security controls are selected at random for each activity.

Question: What is the criteria for grading the technical proficiency activity?

Answer: Each activity consists of 20 controls that need to be evaluated as implemented or not implemented by assessor teams; individual controls (i.e., management, operational, and technical) may or may not have issues. Assessor teams must correctly identify 20 issues associated with these controls, which are selected by the BCR. Assessor teams may identify 35 issues (for example), but they will only be scored based on 20 issues identified by the BCR.