The Federal Risk and Authorization Management Program (FedRAMP) is a federal program focused on providing a consistent process for evaluating the security of commercial cloud service providers (CSP) that seek to provide services to the federal government.
The FedRAMP process involves five primary entities but depending on the path a CSP takes to achieve an authorization to operate (ATO), the involvement in the process will vary: the CSP, the FedRAMP Program Management Office (PMO), federal agencies, the Joint Authorization Board (JAB), and a FedRAMP Third Party Assessment Organization, or FedRAMP 3PAO.
This blog will focus on FedRAMP 3PAOs and their role in the FedRAMP process. For additional information regarding FedRAMP, see the links at the bottom of this post.
What is a FedRAMP 3PAO?
A FedRAMP 3PAO is an independent firm that specializes in performing security assessments of commercial CSPs who are seeking to provide cloud services to the federal government. FedRAMP is a rigorous evaluation process for CSPs, but it is also a rigorous process to become a FedRAMP accredited 3PAO. FedRAMP 3PAOs must demonstrate that they have an operable quality management system (QMS) and comply with ISO/IEC 17020:2012, Conformity assessment — Requirements for the operation of various types of bodies performing inspection. The FedRAMP PMO also issues additional 3PAO requirements that are specific to the FedRAMP program and deal specifically with performing security assessments.
The American Association of Laboratory Accreditations (A2LA) executes the 3PAO accreditation process on behalf of the FedRAMP PMO. FedRAMP accredited 3PAOs undergo regular audits to ensure they maintain the high standards of both their QMS and technical proficiency as security assessors. A FedRAMP 3PAO list can be found on the FedRAMP Marketplace.
What is the Role of a FedRAMP 3PAO?
FedRAMP 3PAOs can function in one of two capacities: assessment or advisory. In their role as assessors, 3PAOs develop the Security Assessment Plan (SAP), perform the security assessment of the cloud service offering (CSO), and document the results of the assessment in the Security Assessment Report (SAR) and supporting documents. 3PAOs operating in an assessment capacity also perform the subsequent annual continuous monitoring assessments of the CSPs to provide assurance that the CSP’s control environment continues to operate effectively.
FedRAMP 3PAOs can also serve in an advisory capacity and assist CSPs in preparing for a FedRAMP assessment. The road to receiving a FedRAMP authorization is long and arduous and often filled with uncertainties. Having an advisory 3PAO is one way to gain clarity on the process. In order to maintain independence, an advisory 3PAO cannot perform assessment services for the CSP in which they performed advisory services. Read on to understand more regarding the benefits of an advisory 3PAO.
Can Non-3PAO Firms Perform FedRAMP Assessments?
Only firms that received a FedRAMP accreditation from the A2LA can perform FedRAMP security assessments of a CSP. The primary reason for this is to ensure consistency in the assessment process and maintain a high standard of quality in assessment methodology and associated artifacts. Assessment firms must meet high standards of quality and technical competence to become a FedRAMP accredited 3PAO.
What Are the Benefits of Using an Advisory 3PAO?
As mentioned previously, the road to obtaining a FedRAMP ATO is often long and arduous. Documentation is a huge hurdle for most firms as they do not have resources to dedicate to writing hundreds of pages (yes, hundreds of pages) of documentation.
The primary document is the System Security Plan which documents among other things how each control is implemented within the CSO. The information provided must be of sufficient detail for a 3PAO performing a security assessment to develop a test plan and execute detailed test procedures. If the SSP is not written to an acceptable level of specificity, then the assessment schedule could be significantly delayed until the documentation is sufficient to support testing. You can read more about the documentation requirements here and here.
Gap assessments are a key part of understanding just how heavy the lift will be for an organization to achieve a FedRAMP ATO. Advisory 3PAOs can perform a gap assessment against the control set to identify any shortfalls that may exist in the processes, documentation, or technology that are currently in place. As a note, a 3PAO performing the security assessment for an organization can also perform the pre-assessment, but they cannot act as management or help implement solutions.
Advisory 3PAOs, though, can also provide guidance regarding technical solutions and any potential architecture changes needed to support FedRAMP requirements as identified in the gap assessment. There may be multiple options when deciding how to implement a control, and an advisory 3PAO can help dial you in to the best option based upon specific nuances of your architecture and specific knowledge of risk tolerances of federal agencies they have worked with in the past.
Advisory 3PAOs also have experience working with the FedRAMP PMO either for support in advisory work or as an assessor. The FedRAMP PMO is more than willing to work with 3PAOs to answer questions and provide any clarification if needed. Assessment firms that are not a FedRAMP 3PAO can perform advisory services, but they lack the ability to get clarity, counsel, or direction from the FedRAMP PMO should the need arise as a CSP is preparing for a FedRAMP assessment.
Going through the FedRAMP process requires CSPs to dedicate significant time and resources to achieve the goal of receiving a FedRAMP ATO. Therefore, it is recommended to start the process as early as possible. Starting a year out is not unheard of and should provide sufficient time to develop the needed documentation as well as implement any needed architecture changes required to meet the FedRAMP controls.
While companies can go it alone during this time, it is recommended to employ the services of an advisory 3PAO. Advisory 3PAOs can leverage their knowledge of FedRAMP processes and experience in drafting documentation with the level of specificity required to meet the needs of an assessment 3PAO. They also have experience with various cloud architecture solutions that have been successful in achieving an ATO in the past. Yes, employing the services of an advisory 3PAO will require additional resources, but will, in the end, likely save the CSP time and money if they were to go it alone.
If you would like to know more about FedRAMP, please check out our other blog posts here:
- What is FedRAMP? 5 Considerations Before Taking the Leap
- FedRAMP vs. FISMA: What You Need to Know
- FedRAMP Authorizations — Which Path Should a CSP Take?
- FedRAMP Compliance: What is it? Requirements, Process, & More
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Expert Guide to a FedRAMP Readiness Assessment
- An Introduction to the Federal Risk and Authorization Management Program (FedRAMP)
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.