FedRAMP accredited Third Party Assessment Organizations (3PAOs) perform the initial and periodic assessments of cloud systems to ensure they meet FedRAMP security requirements as part of a Cloud Service Provider’s (CSPs) FedRAMP authorization. CSPs partner with 3PAOs for both Joint Authorization Board (JAB) and Agency authorizations and for each of the three security baselines: Low, Moderate, and High.
How to Become an Accredited Assessor
Organizations interested in becoming accredited FedRAMP 3PAOs must be reviewed by the American Association for Laboratory Accreditation (A2LA), which follows ISO/IEC 17020:2012 Requirements for the Operation of Various Types of Bodies Performing Inspection. Acceptance of A2LA accreditation for a 3PAO is subject to final approval by the FedRAMP PMO. More information on becoming a FedRAMP accredited 3PAO can be found on the A2LA website.
FedRAMP Authorization: An Assessor’s Perspective
3PAOs play a critical role in the authorization process by assessing the security of a cloud service. CSPs may also engage a 3PAO for consultation as they develop their system or documentation related to a FedRAMP authorization. However, a 3PAO that provides consulting services to a CSP may not complete the assessment for that CSP’s service as part of the authorization process.
In this phase, the 3PAO works with the CSP to develop a project plan for FedRAMP authorization. It is recommended that 3PAOs and their CSP engage the FedRAMP PMO early and often when beginning an authorization to ask questions and receive guidance on their strategy.
3PAOs are also responsible for executing a Cloud Service Offering’s (CSO) Readiness Assessment testing when a CSP is pursuing a FedRAMP Ready designation. The Readiness Assessment Report (RAR) that the 3PAO produces will assess a CSP’s system’s operational security capabilities. The FedRAMP PMO reviews all RARs and if satisfactory, the CSP system will be designated “FedRAMP Ready.” This designation indicates that a 3PAO attests to a CSO’s readiness for the authorization process. The 3PAO Readiness Assessment Report Guide provides 3PAOs with best practices to successfully complete a high quality RAR.
3PAOs are responsible for testing the security controls of the CSP’s service. This includes:
- Completing a Security Assessment Plan (SAP)
- Performing initial and periodic assessments of the service’s security controls
- Producing a Security Assessment Report (SAR)
An assessor’s completed SAP and SAR is submitted with the CSP’s System Security Plan (SSP) to form the authorization package. The package is ultimately reviewed and approved by the authorizing party (either the JAB or an Agency).
After an authorization has been granted, the cloud service enters continuous monitoring. 3PAOs perform annual testing as required by the CSP and the authorizing party. CSPs can also engage 3PAOs during the continuous monitoring phase to validate Deviation Requests, Significant Changes, and participate in or fully perform monthly assessments.