Skip to main content

3PAO Requirements

What are the FedRAMP Requirements for 3PAOs?

To become a FedRAMP Independent Third Party Assessment Organization (3PAO), organizations must undergo a rigorous conformity assessment process before being accredited by FedRAMP.  This conformity assessment process qualifies 3PAOs according to the following requirements:

  • Independence and quality management in accordance with ISO/IEC 17020: 1998 standards
  • Information assurance competence that includes experience with FISMA and testing security controls
  • Competence in the security assessment of cloud-based information systems

Third Party Assessment Organizations (3PAO) perform initial and periodic assessment of Cloud Service Provider (CSP) systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  Once engaged with a CSP, 3PAOs develop Security Assessment Plans, perform testing of cloud security controls, and develop Security Assessment Reports. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

FedRAMP Information System Security Officers and the Joint Authorization Board extensively review documentation and findings submitted by FedRAMP 3PAOs for adherence to FedRAMP quality and acceptability criteria.  FedRAMP 3PAOs found not meeting the program's requirements or submitting substandard work may have their accreditation removed.  Stakeholders concerned with a particular 3PAO's activities, may file a Letter of Concern with the FedRAMP PMO.  Please contact the FedRAMP PMO at info@fedramp.gov for information on how to proceed.  All Letters of Concern are thoroughly investigated and reviewed.

For more detail on 3PAO responsibilities, please refer to the FedRAMP Policy Memo, Concept of Operations, and details described here.

 

FEDRAMP 3PAO REQUIREMENTS

Click Here to Review Requirements