Updated FedRAMP 3PAO Obligations and Performance Standards Document
The FedRAMP PMO, in coordination with the American Association for Laboratory Accreditation (A2LA), has made several revisions to the FedRAMP Third Party Assessment Organization (3PAO) Obligations and Performance Standards document that focus on further defining the program’s 3PAO performance and compliance expectations.
The updates include:
- Ensuring 3PAO compliance with the requirements set forth in the FedRAMP Authorization Act, including Section 3612. Declaration of foreign interests
- Ensuring 3PAO adherence to personnel requirements regarding years of experience, training, certification qualifications, and technical proficiency activities outlined in the “A2LA R311 – Specific Requirements: Federal Risk and Authorization Management Program” document
- Defining ramifications for all stakeholder deliverables submitted by 3PAO teams who do not meet the personnel requirements, as maintained in the Baltimore Cyber Range (BCR) 3PAO Personnel Database
- Notifying all relevant stakeholders when the performance of their 3PAO is being reviewed by the FedRAMP PMO
- Defining conditions for re-entry into the FedRAMP 3PAO program following a 3PAO’s revocation
- Updating the “3PAO/A2LA/FedRAMP PMO Roles and Responsibilities” reference table (formerly the “3PAO JAB P-ATO Roles and Responsibilities” standalone document)
If you have any questions about these new changes, please reach out to firstname.lastname@example.org.