Skip to main content


FedRAMP Updates 3PAO Requirements

November 6 | 2018

FedRAMP Updates 3PAO Requirements

Third Party Assessment Organizations (3PAOs) play a critical role within the Federal Risk and Authorization Management Program (FedRAMP). Their independent assessments serve as the basis for which the federal government can make authorization decisions regarding Cloud Service Offerings (CSOs). Ensuring 3PAO competency is essential to the program.

FedRAMP, in partnership with the American Association for Laboratory Accreditation (A2LA), updated the “R311 -Specific Requirements: FedRAMP,” which includes new and strengthened qualifications for existing and new 3PAOs.

The key updates are as follows:

  • Incorporation of the R346 – Specific Requirements: Baltimore Cyber Range (BCR) Cybersecurity Technical Proficiency Activity Information, which requires all 3PAO assessors to take a hands-on proficiency exercise, conducted by the Baltimore Cyber Range (BCR), at initial accreditation and annually thereafter
  • Accreditation to ISO/IEC 17020, under the A2LA Cybersecurity Inspection Body Program, for a period of one year as evidence of implementation of a 3PAO’s quality management system
  • Forty hours of Continuing Professional Education (CPE) or equivalent for each 3PAO assessment team member
  • Regular FedRAMP PMO touch-points with 3PAOs and CSPs for feedback on deliverables and customer experience
  • Guidance for non U.S. based 3PAO personnel and/or OCONUS operations

The PMO will host a webinar on Wednesday, November 14 at 2 p.m., which will cover the primary updates in more depth and provide an opportunity to answer 3PAOs' questions around the new requirements. Register for the webinar.

Back to Blogs