From: FedBizOps.gov
Solicitation Number: RFI-XB-13-001G
Agency: General Services Administration
Office: Office of Citizens Services and Communications (X), Office of Business Management (XB)
Location: Office of Business Management (XB)
This announcement is posted for data gathering and planning purposes only. It DOES NOT constitute a solicitation, and is not to be construed as a commitment by the Government to issue a solicitation or award a contract. The Government will not reimburse any respondent for any cost associated with information submitted in response to this RFI. The purpose of this notice is to allow the vendor community the opportunity to provide feedback, input, and changes to FedRAMP’s 3PAO Program Requirements.
The Federal Cloud Computing Initiative (FCCI), managed by GSA, developed FedRAMP as a unified, government-wide risk management program focused on securing cloud-based systems. FedRAMP established a set of security controls and templates that agencies must use in conducting security assessments of cloud-based products and services. The result is an Authority to Operate that agencies can leverage thus avoiding the need to conduct as assessment for each agency. This “approve once, use often” approach saves much of the cost, time, and staff required to conduct individual Agency security assessments.
FedRAMP uses Third Party Assessment Organizations (3PAOs) to perform initial and periodic assessment of Cloud Service Providers (CSPs) to ensure the CSP compliance with FedRAMP requirements. 3PAOs ensure that cloud computing services and systems offered by CSPs meet specified and standardized security requirements. FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.
FedRAMP uses a conformity assessment process to qualify 3PAOs. To become an accredited 3PAO under the FedRAMP program, 3PAOs must submit an application that demonstrates compliance with requirements established under FedRAMP for security assessment of cloud-based information systems, as well as requirements based on ISO/IEC 17020:1998 for organizations performing inspections. The FedRAMP Expert Review Board (ERB), consisting only of government staff from both the National Institute of Standards and Technology (NIST) and GSA, evaluate applications.
As FedRAMP approaches Full Operational Capability (FOC), FedRAMP plans to privatize the 3PAO accreditation process. Under this approach, FedRAMP will contract with a privatized accreditation body in order to manage the 3PAO application process. With this impending change to the 3PAO application process, FedRAMP plans to update the 3PAO Application as well as the 3PAO Requirements documentation. The purpose of this RFI is to receive feedback, input, and changes to the 3PAO Application and Requirements for the betterment of FedRAMP.
ALL QUESTIONS REGARDING THIS RFI SHOULD BE SUBMITTED TO 3PAO@FedRAMP.gov NO LATER THAN 5:00PM EST FEBRUARY 26, 2013.
ALL RESPONSES ARE TO BE SUBMITTED BY 5:00PM EST MARCH 8, 2013 to 3PAO@FedRAMP.gov.
RFI -3PAO Requirements
Leave a Reply