Skip to main content

Focus on FedRAMP

New Third Party Assessment Organizations (3PAOs) Training Series

The FedRAMP PMO is pleased to announce the Third Party Assessment Organization (3PAO) Training Series. The training series provides 3PAOs and other interested stakeholders with a deeper understanding of the FedRAMP program requirements and the level of effort (LOE) required to satisfactorily plan and perform a FedRAMP security assessment.

The goal of this new 300 level training series is to provide the 3PAO community with the guidance necessary to alleviate common challenges they face when reviewing security package artifacts in accordance with FedRAMP requirements, developing the Security Assessment Report (SAR), and completing assessment documentation. Each course within the training series focuses on specific functions, processes, procedures, policies, and/or guidance needed for 3PAOs to most successfully complete their assessment. There is a final quiz when the course has been completed and a certificate of completion is provided to those students who complete the course and pass the final quiz. We plan to release at least one new course per month and it is recommended that course participants complete each training in order, i.e., 300-A, 300-B, 300-C, 300-D, 300-E, and finally, 300-F, as each course builds upon the preceding course.

The one exception to this recommended order is our new 300-G course: Readiness Assessment Report (RAR) Preparation. This class provides a discussion on how the FedRAMP security requirements must align with a Cloud Service Provider’s (CSP’s) Cloud Service Offering (CSO) security capabilities before the CSO is accepted as “FedRAMP Ready.” FedRAMP grants a FedRAMP Ready designation when the information in the RAR indicates the CSP is likely to achieve a Joint Authorization Board (JAB) Provisional Authorization To Operate (P-ATO) or Agency Authorization To Operate (ATO) for the system. The 3PAO is held accountable to the decision with a signature attesting to the FedRAMP Readiness of the CSP system.

Below is the expected training release schedule:

  • November 2nd: 300-A FedRAMP ISO 17020 Requirements: Understanding and Bridging the Gap
  • December 5th: 300-B 3PAO Security Assessment Plan (SAP) Guidance
  • December 5th: 300-C 3PAO Security Assessment Report (SAR) Guidance
  • January 4th: 300-D 3PAO Documenting Evidence Procedures
  • January 4th 300-E 3PAO Vulnerability Scanning Methodology and Documentation
  • February 1st: 300-F 3PAO Review of Security Assessment Report (SAR) Tables

We are grateful to the 3PAO community of stakeholders for their consistent efforts and endeavors which complement the growth and success of the FedRAMP Program. FedRAMP is your partner and would like to continue to assist you on this path. We encourage all stakeholders to participate in this training series.

If you have any questions or troubles when completing this new training series, please feel free to reach out to