FedRAMP Launches New 300-C Training for 3PAOs
We’ve launched the next course in the Third Party Assessment Organization (3PAO) Training Series. This new training course focuses on the development of the Security Assessment Report (SAR) which details the 3PAO’s findings after testing is complete for a Cloud Service Offering (CSO). The SAR must clearly outline a CSO system’s residual risk and be an adequate reflection of the security state from a comprehensive analysis during testing. Throughout the course, you’ll gain a better understanding of how to interpret the SAR delivery requirements; how to document the SAR including completing the SAR tables for analysis; and completing the Plan of Action and Milestones (POA&M). This course will review:
- How all vulnerabilities / deficiencies must be reflected in supporting documentation to the SAR
- Capturing and recording test cases so that they are consistent, comparable, and repeatable because they are the basis on which the SAR is built
- Documenting the Functional Testing Contingency Plan Test and Incident Response Plan Test; Vulnerability Scan Results; Penetration Test Results; and Manual Test Results
- How the SAR Risk exposure table is an aggregate of all of the risks identified through the security assessment process including the risks of inherent relationships and interconnected systems
- Why the POA&M items not duplicated through testing are also part of the total system risk for annual assessments
- Completing POA&M and deviation requests as soon as the deficiency is fully resolved including Risk Adjustment (RA), False Positive (FP), and Operational Requirements (ORs)
The goal of the 300 level training series is to focus on specific functions, processes, procedures, policies, and/or guidance needed for 3PAOs to successfully complete their assessment. There is a final quiz when the course is completed and a certificate of completion is provided to students who complete the course and pass the final quiz. Please use Google Chrome or Mozilla Firefox to ensure your certificate is generated at the conclusion of the module.
For more information about the FedRAMP training series curriculum, please visit our training web page.