FedRAMP Updates 3PAO Standards for Cloud Service Provider Assessments
The Project Management Office (PMO) for the Federal Risk and Authorization Management Program (FedRAMP) has issued an updated version of FedRAMP's 3PAO Obligations and Performance Standards (3PAO Standards), which sets forth performance standards and compliance obligations for third-party assessment organizations (3PAOs). FedRAMP 3PAOs are independent organizations responsible for assessing cloud service providers' (CSPs) compliance with FedRAMP security requirements. The updated 3PAO Standards were developed in collaboration with the American Association for Laboratory Accreditation (A2LA) and were made publicly available on April 6, 2023. Key updates include requirements to comply with certain provisions of the FedRAMP Authorization Act and new standards and qualification requirements for 3PAO assessment personnel.
Background on FedRAMP and 3PAOs
FedRAMP is a federal government program intended to facilitate and standardize adoption of secure cloud computing services by federal agencies. The program was established in 2011 by an Office of Management and Budget policy memorandum and has been governed by a Joint Authorization Board (JAB) consisting of the chief information officers of the Department of Defense, Department of Homeland Security, and the General Services Administration (GSA). The FedRAMP PMO, which is part of the GSA, is responsible for program development and operations. As we discussed in a recent blog post, Congress recently codified FedRAMP by enacting the FedRAMP Authorization Act. Among other things, the FedRAMP Authorization Act will restructure the program's governance.
FedRAMP 3PAOs are responsible for conducting independent assessments of CSP compliance with FedRAMP's security requirements. Those assessments are used by the FedRAMP JAB and federal agencies in determining whether to issue the CSP a FedRAMP authorization to provide cloud services to the federal government.[1]
Overview of Notable Updates and Revisions
Notable updates to 3PAO Standards include:
- New training standards that 3PAOs must develop and implement for their personnel. For example, 3PAOs must maintain a training program that contains content which, at a minimum, incorporates the policies, procedures and standards associated with FedRAMP, cloud computing, cybersecurity, and the Federal Information Security Modernization Act (FISMA).[2]
- Revised standards for 3PAO personnel, including required minimum years of experience, certifications, and technical proficiencies. For example, 3PAOs are required to have a "senior assessor" on staff. For 3PAO employees to hold the title of "senior assessor" they must have at least five years of auditing and/or assessment experience, maintain the Certified Information System Security Professional (CISSP), and hold at least one other industry certification.[3] Per the 3PAO standards, "assessment deliverables containing work performed, prepared, or submitted by 3PAO personnel who do not meet the requirements for their role…will be determined to be invalid, will be rejected, and will need to be redone by personnel who meet the required qualifications."[4]
- New requirement that all 3PAOs comply with the provisions of the FedRAMP Authorization Act, including Section 3612, which establishes a new reporting requirement for any foreign involvement or interests in a 3PAO. Under Section 3612(a), 3PAOs "shall annually submit…information relating to any foreign interest, foreign influence, or foreign control of the independent assessment service."[5] Under Section 3612(b), 3PAOs must notify GSA within 48 hours of a "change in foreign ownership or control."[6]
- New requirement that notice be provided to the 3PAO, all relevant cloud service providers, and the authorizing federal agency when the 3PAO's performance is under review by the FedRAMP PMO.
- Conditions and prerequisites for gaining re-entry into the FedRAMP 3PAO program, in the event of a 3PAO's recognition revocation. After revocation, a 3PAO will be required to re-enter the qualification process and comply with A2LA standards for at least one year prior to seeking recognition again as a FedRAMP 3PAO.
DWT's Information Security team regularly advises clients operating in the cloud computing space on navigating FedRAMP and other security requirements related to cloud computing. We will continue to monitor changes to FedRAMP, including to implement the FedRAMP Authorization Act, and how those changes may affect our cloud computing clients.
[1] FedRAMP 3PAO Obligations and Performance Standards Document at 1, https://demo.fedramp.gov/assets/resources/documents/3PAO_Obligations_and_Performance_Guide.pdf.
[3] Id. The list of relevant industry certifications can be found in Section 6.1.1.F.2 of the A2LA R311 – “Specific Requirements: Federal Risk and Authorization Management Program” document.
[4] FedRAMP 3PAO Obligations and Performance Standards Document at 4.
[5] FY23 National Defense Authorization Act, Sec. 5921, page 1055. https://www.congress.gov/bill/117th-congress/house-bill/8956/text.
[6] Id.