Partnering with FedRAMP®
Third Party Assessment Organizations (3PAOs) play a critical role in the authorization process by assessing the security of a Cloud Service Offering.
As independent third parties, they perform initial and periodic assessments of cloud systems based on federal security requirements. The federal government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. During FedRAMP assessments, 3PAOs produce a Readiness Assessment Report (RAR), which is required for the Joint Authorization Board (JAB) Authorization process and optional but highly recommended for the Agency Authorization process, and/or a Security Assessment Plan (SAP) and Security Assessment Report (SAR) that is submitted for authorization to a government Authorizing Official (AO).
A list of FedRAMP recognized Third Party Assessment Organizations (3PAOs) can be found on the FedRAMP Marketplace.
How FedRAMP Can Help
FedRAMP works with 3PAOs to ensure that they have the guidance and resources needed to complete initial and periodic assessments to meet FedRAMP requirements. The FedRAMP PMO is available to provide support or address questions. To get started, please contact us at info@fedramp.gov.
Resources for Assessors
3PAO Obligations and Performance Standards
FedRAMP created a conformity assessment process to recognize third party assessment organizations (3PAOs) through accreditation by the American Association for Laboratory Accreditation (A2LA). This process ensures 3PAOs meet the necessary quality, independence, and FedRAMP knowledge requirements, to perform independent security assessments required by FedRAMP. To maintain recognition, 3PAOs must continue to demonstrate independence, quality, and FedRAMP knowledge as they perform security assessments on cloud systems.
[File Info: PDF - 458KB]
3PAO Readiness Assessment Report Guide
FedRAMP created the Readiness Assessment Report Guide to assist 3PAOs and cloud service providers on how to best utilize the FedRAMP Readiness Assessment Report (RAR) templates to confirm the full implementation of the CSO’s technical capabilities, which is required for a FedRAMP Readiness Assessment to be successful. This also helps 3PAOs and CSPs understand the rigor that FedRAMP requires for assessments.
[File Info: PDF - 342KB]
FedRAMP’s Training Page
FedRAMP’s Training page has a required path for all 3PAOs, which focus on specific functions, processes, procedures, policies, and/or guidance needed for 3PAOs to successfully complete their assessment of a Cloud Service Provider.
