Partnering with FedRAMP®
Third Party Assessment Organizations (3PAOs) play a critical role in the authorization process by assessing the security of a Cloud Service Offering.
As independent third parties, they perform initial and periodic assessments of cloud systems based on federal security requirements. The federal government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. During FedRAMP assessments, 3PAOs produce a Readiness Assessment Report (RAR), which is required for the Joint Authorization Board (JAB) Authorization process and optional but highly recommended for the Agency Authorization process, and/or a Security Assessment Plan (SAP) and Security Assessment Report (SAR) that is submitted for authorization to a government Authorizing Official (AO).
A list of FedRAMP recognized Third Party Assessment Organizations (3PAOs) can be found on the FedRAMP Marketplace.
How FedRAMP Can Help
FedRAMP works with 3PAOs to ensure that they have the guidance and resources needed to complete initial and periodic assessments to meet FedRAMP requirements. The FedRAMP PMO is available to provide support or address questions. To get started, please contact us at email@example.com.
Resources for Assessors
3PAO JAB P-ATO Roles and Responsibilities
3PAO JAB Provisional Authority to Operate (P-ATO) Roles and Responsibilities provides an overview of a 3PAO’s roles and responsibilities in the JAB P-ATO Process.
[File Info: PDF - 214KB]
3PAO Obligations and Performance Standards
The 3PAO Obligations and Performance Standards provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems.
[File Info: PDF - 458KB]
FedRAMP Readiness Assessments: A Guide for 3PAOs
The FedRAMP Readiness Assessments: A Guide for 3PAOs provides 3PAOs with guidance on how best to utilize the RAR. It provides a shared understanding of the RAR’s intent, process, and best practices.
[File Info: PDF - 342KB]
FedRAMP’s Training Page
FedRAMP’s Training page has a required path for all 3PAOs, which focus on specific functions, processes, procedures, policies, and/or guidance needed for 3PAOs to successfully complete their assessment of a Cloud Service Provider.