A2LA Updates the R311
The American Association for Laboratory Accreditation (A2LA) recently released an updated version of the A2LA R311 — Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP). This policy document specifies the requirements for all FedRAMP recognized third party assessment organizations (3PAOs) and organizations seeking FedRAMP recognition.
The key updates to the R311 include:
- Adding additional certification options for the penetration tester role
- Shifting the A2LA F337 and F338 feedback forms from a PDF to digital format to allow for easier completion by cloud providers and 3PAOs
- Requiring 3PAOs to report any foreign ownership, control, or influence (FOCI) operations utilizing the FedRAMP 3PAO FOCI Declaration Form as part of initial and subsequent renewal applications
- Clarifying that if a 3PAO is revoked twice by FedRAMP, the 3PAO is no longer eligible to be recognized by FedRAMP