3PAO Requirements Update
The Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) Accreditation Program has been operational for approximately four years, accrediting more than 40 3PAOs during this time.
FedRAMP works with the American Association for Laboratory Accreditation (A2LA) to accredit and maintain the status of these assessment organizations. The A2LA 3PAO assessment process involves an in-depth evaluation of the technical competence of a 3PAO, and an independent verification and validation of 3PAO compliance with the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17020:2012 general requirements and FedRAMP specific requirements.
FedRAMP works with A2LA to regularly review the A2LA 3PAO requirements for training expectations, quality management standards, and reporting commitments. Through this continuous collaboration, FedRAMP had recognized the need to strengthen the 3PAO accreditation requirements to provide for greater 3PAO oversight to ensure that a FedRAMP Accredited 3PAO provides the highest quality, most technically accurate assessments for the Cloud Service Providers (CSPs) who participate in the FedRAMP Program.
The updated R311 -Specific Requirements: FedRAMP includes new and strengthened requirements that will help improve the quality of 3PAO assessment documentation; and ensure relevant, rigorous 3PAO assessment team training; to ensure maintenance and vigilant oversight of FedRAMP accredited organization.
Specifically, the primary focus areas for the updated requirements include:
Must analyze and identify discrepancies within notional System Security Plans (SSPs) to determine 3PAO knowledge and understanding of the FedRAMP Security Assessment Framework (SAF) with the expectation that FedRAMP SAF competency is highly regarded
3PAO Personnel Requirements for Assessment Teams
Must have a minimum of three resources that include a senior representative, penetration tester, and quality management representative
3PAO Assessment Team Training Requirements
Must include mandatory FedRAMP Project Management Organization (PMO) subject matter training
Must include topics on Federal Information Security Management Act (FISMA), FedRAMP, and cyber security in cloud technologies
Must include training records that specify the organization that provided training and the relevance to the aforementioned knowledge areas
Must include the training records with the annual review documentation
3PAO Renewal and Surveillance Application
Will now include examples of the mandatory After-Action Reports for each engagement
Will now include a list of all Security Assessment Reports (SARs) that have been rejected by the Joint Authorization Board (JAB)
Must be proficient with the primary 3PAO quality management system in order to ensure compliance with ISO/IEC 17020:2012
Cloud Service Providers (CSPs)
Can proactively provide FedRAMP feedback at any point (before, during or after) the assessment process regarding 3PAO performance