The FISMA Focus IPD

The Federal Risk and Authorization Management Program (FedRAMP) is a unified government-wide risk management program focused on security for cloud-based systems. FedRAMP provides a standard approach for conducting security assessments of cloud systems based on an accepted set of security controls and consistent processes. Per OMB policy, agencies acquiring cloud services are required to use FedRAMP.

Cloud service providers (CSPs) that go through FedRAMP must use Third Party Assessment Organizations (3PAOs) to provide an independent verification and validation (IV&V) of the security implementations required by FedRAMP. FedRAMP provisional authorizations must include an assessment by a FedRAMP accredited 3PAO to ensure a consistent assessment process.

FedRAMP uses a conformity assessment process to accredit 3PAOs. Conformity assessment is a “demonstration that specified requirements relating to a product, process, system, person or body are fulfilled.” (Source: ISO/IEC 17000). Conformity assessment is built on a set of internationally recognized standards that help ensure that the program consistently supports the appropriate level of rigor and independence required.

Currently, a government review board is responsible for reviewing the 3PAO applications and providing a recommendation to the FedRAMP Director for a conformity attestation. Similar to other conformity assessment programs, FedRAMP plans to privatize this review process. Under this approach, FedRAMP will approve privatized accreditation bodies to manage the 3PAO application process.

To become a FedRAMP 3PAO Accreditation Body, organizations will have to submit applications that demonstrate that they meet requirements laid out by the FedRAMP PMO. Please refer to the attachment “AB Application_Final.docx” to this announcement for the list of requirements as well as the application to become a FedRAMP 3PAO Accreditation Body.

The accreditation organization(s) that are determined to be the best qualified will be notified that they have been selected as the FedRAMP Approved 3PAO Accreditation Body. All other accreditation organizations will be notified that their requests for FedRAMP Approved 3PAO Accreditation Body status have been denied Applications to become a FedRAMP 3PAO Accreditation Body will be accepted through 5:00pm EST May 15, 2013.  FedRAMP PMO will start accepting applications beginning April 15, 2013 at 3PAO@FedRAMP.gov.

All questions and clarifications must be submitted to 3PAO@FedRAMP.gov by 5:00pm EST April 29, 2013. The FedRAMP PMO will publish answers to these questions by 5:00pm EST May 3, 2013.