The General Services Administration named nine organizations, including one federal agency, to provide third-party assessments of cloud services under the Federal Risk and Authorization Management Program (FedRAMP).
The third-party assessment organization (3PAO) will validate and attest to the quality and compliance of the cloud service provider’s security package, according to the FedRAMP Concept of Operations issued in February.
Department of Transportation’s Enterprise Service Center
Dynamics Research Corporation
J.D. Biggs and Associates, Inc.
Knowledge Consulting Group, Inc.
SRA International Inc.
Veris Group, LLC
The 3PAOs will have a harder time offering cloud services to the government. GSA issued conflict of interest rules in December. “It will be a very strong test that we have to see a clear firewall between those capabilities,” said Dave McClure, GSA’s associate administrator in the Office of Citizen Services and Innovative Technologies, in an interview with Federal News Radio in December. “The key is we are relying on a specific ISO standard that is a clearer bar an organization must conform to, to demonstrate that separation in functionality. It’s not just an arbitrary, ‘Tell us how you are doing it.'”
All vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP’s 168 security controls to these third-party assessment organizations.
The 3PAOs will review the documents and submit their recommendation to the Joint Authorization Board (JAB), which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security. After reviewing the 3PAO analysis, the JAB decides whether to grant the company an initial authority to operate. The final authority to operate must come from the agency, which is buying the cloud services.
“Under FedRAMP, cloud service provider authorization packages must include an assessment by an accredited 3PAO to ensure a consistent assessment process,” said FedRAMP’s 3PAO program description document. “Accredited 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance and play an on-going role in ensuring that CSPs meet requirements.”
Along with the list of vendors, GSA issued advice on how to select a third-party assessment organization (3PAOs).
“The decision regarding which 3PAO to use is entirely up to the CSP,” GSA wrote on its website. “FedRAMP does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO.”