Becoming a 3PAO

Process chart showing five steps: 1. Review Application, 2. Gather Materials, 3. Submit Application, 4. Review by ERB, 5. Applicant Decision; leading to Accredited 3PAO for use by Agency and CSPs

FedRAMP uses a conformity assessment process to accredit 3PAOs. To become an accredited 3PAO under FedRAMP, 3PAOs have to submit application materials that demonstrate that they meet:

Demonstrated technical competence in the security assessment of cloud-based information systems; and
The requirements based on ISO/IEC 17020:1998 for organizations performing inspections.

CURRENT STATUS

FedRAMP has initiated the necessary steps to transition to a private sector accreditation body as described in the FedRAMP Third Party Assessment Organization (3PAO) Program Description v1.0 October 1, 2011. As such, effective March 25, 2013, FedRAMP stopped accepting new application packages from organizations applying to become accredited Third Party Assessment Organizations (3PAO). In addition, effective March 25, 2013, FedRAMP stopped accepting any resubmitted application packages from previous applicants in response to letters of non-conformity from the FedRAMP PMO. After the transition period, organizations interested in being accredited 3PAOs will apply through the selected accreditation body’s process.

More information about this update can be found at http://1.usa.gov/VAHwGl .

Questions can be sent to 3PAO@fedramp.gov.

FEDRAMP 3PAO REQUIREMENTS

Click Here to Review Requirements