Partnering for Success: CSPs and 3PAOs
Third Party Assessment Organizations (3PAOs) are hired by Cloud Service Providers (CSPs) to either consult or provide independent security testing on a given cloud system.
In Winter 2017, FedRAMP, in partnership with the American Association for Laboratory Accreditation (A2LA), released a series of 3PAO requirement updates including specific standards for applicants, assessment teams, renewal and surveillance assessments, subcontractors, and CSP feedback. To read more, read our 3PAO Requirements Update blog.
In addition to the more rigorous standards, when a CSP hires a 3PAO, the CSP is ultimately responsible for the quality of testing and associated deliverables that the 3PAO submits for FedRAMP approval throughout the authorization process. FedRAMP currently has 44 accredited 3PAOs, but each CSP should ensure that the 3PAO they hire has the skillset to match their system’s complexity and requirements. CSP roles and responsibilities for working with 3PAOs during the authorization process are included here. For illustrative purposes, the process below illustrates the phases by which a system progresses from being ready to being “authorized” with the Joint Authorization Board.
During the Readiness Assessment, the 3PAO is responsible for providing a preliminary assessment on the CSP system’s ability to meet key security controls and provides assurance that the CSP could successfully complete the FedRAMP process. The CSP should expect the 3PAO to ensure that all of the system’s security controls are successfully met before going to the FedRAMP PMO for their approval for FedRAMP Ready. The CSP should be open to the feedback that the 3PAO provides and be willing to update their system according the feedback. If you have questions on the specific controls and requirements, please review the Readiness Assessment Report Template that has specific guidance that the 3PAO is obligated to follow.
Before the kick-off: Once a CSP begins the authorization process, their 3PAO will need to create a Security Assessment Plan (SAP) and Security Assessment Report (SAR) for the authorizing officials to review. Some key elements authorizing officials will look for in the SAP and SAR include:
The CSP should review the SAP prior to submission to the government and prior to the 3PAO beginning the SAR testing to ensure the SAP has the correct scope of testing and covers all needed parts of the system
Developing the SAR includes both a series of virtual and in-person tests, so the CSP must work collaboratively with the 3PAO in order to schedule these tests and have resources available to provide all the evidence requested by a 3PAO
Authorizing officials will pay close attention to all risks identified during testing. For instance, with a JAB authorization, a CSP cannot have any high vulnerability findings in the SAR.
During the Authorization Process: Through the authorization process, the CSP should ensure that the 3PAO is available to attend regular meetings with the authorizing official teams, respond to concerns on results in the SAP and SAR and be ready to perform remediation testing as requested by an authorizing official in preparation for the ultimate authorization decision.
It’s ultimately the CSP’s responsibility to ensure the 3PAO is providing accurate and sufficient information to agency authorizing officials. Additionally, it’s the CSP’s responsibility to provide proactive feedback on their 3PAO’s performance either during or after an assessment. CSPs should use the A2LA F338 , CSP Evaluation Form so 3PAO performance can be monitored and assessed by both FedRAMP and A2LA.
If you have questions or concerns about working with your 3PAO, please don’t hesitate to reach out to firstname.lastname@example.org.