New 3PAO Training - Obligations and Performance Standards
August 1 | 2023
FedRAMP recognized Third Party Assessment Organizations (3PAOs) now have a 300-0 Obligations and Performance Standards training course that complements the FedRAMP 3PAO Obligations and Performance Standards document and also serves as an introduction to the new 3PAO training curriculum.
The training and accompanying FedRAMP 3PAO Obligations and Performance Standards document outlines the:
- Scope of a 3PAO’s roles and responsibilities related to the FedRAMP assessment processes
- Importance of the FedRAMP 3PAO Obligations and Performance Standards document
- Process required for an independent assessment organization (IAO) to become a FedRAMP recognized 3PAO
In accordance with the American Association for Laboratory Accreditation (A2LA) R311 policy, all FedRAMP recognized 3PAO team members must take and pass this mandatory course within 60 days of the training announcement. 3PAOs must maintain copies of these certificates in their training records. Records of completion will be reviewed during a 3PAO’s A2LA assessment to ensure each team member has participated appropriately. Each individual 3PAO participant, who has not completed the required training or update sessions, may not participate in FedRAMP assessment activities.
The remaining seven courses in the 3PAO training curriculum will be updated on a rolling basis and include updates to the current FedRAMP 3PAO curriculum including: Readiness Assessment Report (RAR) Guidance, Security Assessment Plan (SAP) Guidance, Security Assessment Report (SAR) Guidance, Documenting Evidence Procedures, 3PAO Vulnerability Scanning Methodology and Documentation, Review of SAR Tables, and Review of Penetration Testing Guidance.
All 3PAO training courses will be available on the updated FedRAMP training page as the new versions are released.
Please email info@fedramp.gov if you have any questions.
