Third-party assessment organizations, or “3PAOs,” play a crucial role in compliance with the Federal Risk and Authorization Management Program, more commonly known as FedRAMP.
3PAOs assess the offerings of cloud service providers (CSPs), to help those CSPs satisfy FedRAMP compliance regulations. Moreover, the 3PAOs’ input allows U.S. federal government agencies to make informed, risk-based decisions regarding the authorization and use of CSOs.
This article answers several important questions about 3PAOs. Among them:
- How do 3PAOs contribute to the FedRAMP authorization process?
- What are their responsibilities and obligations?
- What are the requirements for 3PAO accreditation?
Let’s get started.
What Is a FedRAMP 3PAO?
As stated by FedRAMP, a FedRAMP 3PAO is “a trusted third party that provides independent assessments with integrity.” This independent organization is authorized to help CSPs and federal agencies meet the requirements for FedRAMP compliance. It assesses CSP systems and identifies their risks, per FedRAMP requirements.
The 3PAO must be accredited through the FedRAMP 3PAO program for JAB P-ATO (Joint Authorization Board Provisional Authorization to Operate). 3PAOs must demonstrate independence and the technical competence to test and document a CSP’s security implementations. Authorized and accredited 3-PAO assessors are listed on the FedRAMP Marketplace.
Federal agencies can use non-3PAO Independent Assessors (IA) for FedRAMP security authorizations and guide their Authorization to Operate (ATO) decisions, but the agencies must attest in writing that the IA is independent and competent. Using an approved 3PAO eliminates the need to provide such attestations.
A CSP that applies for FedRAMP JAB P-ATO instead of agency ATO must contract with an accredited 3PAO to perform testing of the cloud service offering. The 3PAO will independently verify the CSP’s security implementations and validate the provider’s security assessment package before giving recommendations to JAB or the agency.
3PAO: Accreditation Requirements
FedRAMP and the U.S. General Services Administration (GSA) list these criteria for 3PAO qualification:
- The organization must meet the International Organization for Standardization (ISO/IEC) 17020 standards for independence and managerial competence.
- It must have technical competence in Federal Information Security Management Act (FISMA) and FedRAMP-specific requirements. (Click here to read more about FedRAMP vs. FISMA.)
- It must demonstrate expertise in assessing cloud-based solutions.
The FedRAMP 3PAO accreditation process is based on a conformity assessment. It allows an organization to demonstrate that it meets the requirements defined by the ISO/IEC 17020 related to a product, process, or system.
The American Association of Laboratory Accreditors (A2LA) performs the assessment to accredit 3PAOs, based on the accreditation requirements on www.fedramp.gov. A2LA provides an assessment report to FedRAMP documenting the 3PAO’s technical competence and experience in inspecting CSP systems.
The report also states whether the 3PAO has a documented and fully operational quality management system (QMS) and whether the organization operates according to this QMS.
During the accreditation review, the A2LA coordinates with the FedRAMP PMO, the only authority able to fully accredit FedRAMP 3PAOs. The PMO also coordinates with the National Institute of Standards and Technology (NIST) to implement a formal conformity assessment to accredit 3PAOs.
3PAO Roles and Responsibilities
A 3PAO evaluates a CSO from a security and risk perspective. It verifies the vendor’s security implementations, compares them with the controls specified in FedRAMP, and confirms whether the implementations match the controls requirements.
The 3PAO also reviews the artifacts (documents) of a CSP’s security authorization package in accordance with FedRAMP requirements. Finally, the assessor considers the overall risk posture of the vendor’s cloud environment, to guide the security authorization decision of a federal agency or the FedRAMP JAB.
The 3PAO plays a role at various stages of the CSP assessment and authorization process:
- Readiness assessment. The assessor prepares the readiness assessment report (RAR) and submits it to the FedRAMP PMO.
- Full security assessment. The 3PAO performs an in-depth review of the CSP’s system security plan (SSP) for FedRAMP compliance and creates a security assessment plan (SAP) and security assessment report (SAR) with matching test cases. It also works with the CSP to develop a plan of action and milestones (POAM).
- Authorization process. The assessor highlights risks in a CSO, performs any required retests, and updates all security documentation based on comments from JAB reviewers.
3PAO Obligations
All 3PAOs and their assessments must adhere to FedRAMP requirements for quality, accuracy, integrity, and timeliness. They must also maintain accreditation by demonstrating that they operate in accordance with ISO/IEC 17020 and FedRAMP requirements.
The 3PAO must be independent of the CSP it is assessing, so that the assessor can submit an opinion about the CSP’s security posture without influence from the CSP.
Finally, every 3PAO must develop an employee training program with content incorporating FISMA, FedRAMP, cloud computing, and cybersecurity.
Important Documents Created by a 3PAO
When performing a security assessment of a CSO, a 3PAO creates numerous documents. These are explained below.
Readiness Assessment Report (RAR)
During the CSP assessment and authorization process, 3PAOs produce a RAR. They may also provide a complete security authorization package consisting of an SAP and SAR. (We will explain the SAP and SAR in more detail below.)
RAR is part of the first phase of the CSP assessment. During this phase, the 3PAO completes the readiness assessment, prepares the RAR, and submits it to the FedRAMP PMO. The assessor also provides support to the FedRAMP project management office during the RAR review.
Security Assessment Plan (SAP)
The 3PAO creates an SAP during the full security assessment of the CSP. For this, the assessor uses a FedRAMP SAP template available on www.fedramp.gov.
In this phase, the assessor assures that all documentation within the SSP matches security control implementations and supports the FedRAMP PMO’s completeness checks.
The SAP identifies the various assets within the scope of the assessment, including:
- Hardware
- Software
- Physical facilities
It also provides a methodology and rules of engagement to execute the security tests when assessing a CSO for FedRAMP compliance. The baseline test cases are available on www.fedramp.gov.
The 3PAO can also create alternative test cases for the alternative implementation of controls in the SSP. These are meant to test the effectiveness of the CSP’s controls and to identify the risks that may arise with the implementation of these controls.
During testing, the CSP creates a plan to coordinate the 3PAO’s site visits and personnel interviews. The CSP will also define a schedule of when scans will be performed on the system.
Security Assessment Report (SAR)
After testing the CSP’s security controls, the 3PAO analyzes the risks in the provider’s cloud environment and presents the results in a security assessment report (SAR). This document contains information about the vulnerabilities, threats, and risks discovered during testing.
The SAR also contains guidance to help CSPs mitigate these security weaknesses. The report is first delivered to the CSP and then to the Authorizing Official’s security team. This team will analyze the SAR to determine the CSO’s risk posture.
In general, a 3PAO’s SAR contains these artifacts:
- Security assessment test case workbook
- Risk exposure table
- Penetration test report
- Vulnerability scan data files
- Test artifacts
Like the SAP, the 3PAO uses a template for the SAR available on www.fedramp.gov.
Per FedRAMP rules, all these documents must be based on the most recent standard templates. They must also:
- Be complete on the first submission.
- Meet the quality standards published in the FedRAMP General Document Acceptance Criteria guidance.
- Be delivered per the schedule agreed to between the CSP, agency, and 3PAO.
- Assure testing of the CSO in accordance with ISO/IEC 17020.
Choosing a 3PAO: Checklist for Cloud Service Providers
Cloud computing offers numerous advantages to federal agencies. That said, agencies should also beware of cloud storage and third-party risks (not to mention third-party risk management). To minimize risks and reduce their vulnerability to cyberattacks, agencies must be cautious about choosing the right CSP for their needs.
CSPs must also be careful about choosing a 3PAO as they pursue FedRAMP certification. To make the right choice, they must ask crucial questions like:
- How many FedRAMP security assessments has the 3PAO previously completed?
- Has the 3PAO worked with this federal agency (the agency the CSP wants to sell its CSO to) before?
- Is the 3PAO familiar with the agency’s assessment processes and procedures?
- Is its assessment team experienced with both auditing and IT systems management and engineering?
- Does the 3PAO perform a gap assessment before technical analysis and penetration testing of the CSP’s cloud environment?
A 3PAO that ticks off all these requirements can be hugely beneficial for a CSP.
An experienced 3PAO can significantly ease the burden of preparing the SSP and POAM. They can perform a gap assessment to identify existing shortfalls in the CSP’s processes, documentation, or technology. Finally, they can provide guidance regarding architecture changes required for the CSP to meet FedRAMP compliance requirements.
Simplify FedRAMP Compliance with ZenComply
The road to achieving and maintaining FedRAMP compliance is often arduous for CSPs. ZenComply helps cloud vendors simplify FedRAMP compliance through its integrated and automated system of record.
ZenComply makes it easy to manage compliance and risk and stay on top of regulatory changes. There’s no need to run multiple programs for continuous compliance monitoring, audit management, and program visibility because ZenComply does it all.
Click here to schedule a demo of ZenComply for your organization’s compliance program.
