FedRAMP: Third Party Assessment Organizations (3PAOs)

From: GSA

As a part of the FedRAMP process, cloud service providers (CSPs) must use a FedRAMP approved third party assessor to independently validate and verify that they meet the FedRAMP requirements.

In coordination with NIST, FedRAMP implemented a conformity assessment process to qualify 3PAOs. This conformity assessment process qualifies 3PAOs according to two requirements:

  • Independence and quality management in accordance with ISO standards
  • Technical competence through FISMA knowledge testing

Third Party Assessment Organizations (3PAO) perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

Please attend the Industry Day on December 16, 2011 for additional information on the Program and the 3PAO application process. Please register for the event by COB Wednesday December 14, 2011 via the following URL: http://bit.ly/FedRAMP3PAOIndustryDay

3PAO Application Materials

FedRAMP will use a conformity assessment process to accredit 3PAOs.  To become an accredited 3PAO under FedRAMP, 3PAOs will have to submit application materials that demonstrate that they meet:

  1. Demonstrated technical competence in the security assessment of cloud-based information systems; and
  2. The requirements based on ISO/IEC 17020:1998 for organizations performing inspections.

FedRAMP intends to publish the initial list of FedRAMP accredited 3PAOs in 2QFY12 or soon thereafter. This list will be updated on an on-going basis as applications are processed.

DUE DATE: Applications for the initial list of FedRAMP 3PAOs must be received by 5:00pm January 20, 2012.  Please see FedBizOpps Sources Sought Notice QTALY001 for detailed information on the application requirements. 

QUESTIONS: Please attend the Industry Day on December 16, 2011 for additional information on FedRAMP and the 3PAO application process. Register for the event here:

http://bit.ly/FedRAMP3PAOIndustryDay

In addition, questions can be sent to 3PAO@fedramp.gov. The first round of 3PAO questions are due by Friday, December 23rd (5pm EST).

APPLICATION MATERIALS

Click Here to Download Application Materials

3PAO Application Process

Process chart showing five steps: 1. Review Application, 2. Gather Materials, 3. Submit Application, 4. Review by ERB, 5. Applicant Decision; leading to Accredited 3PAO for use by Agency and CSPs

1. Review Application

Potential 3PAO reviews application materials found at gsa.gov/FedRAMP

2. Gather Materials

Potential 3PAO completes application and gathers artifacts

3. Submit Application

Potential 3PAO submits application to FedRAMP office to demonstrate technical competency and ability to confirm with technical requirements

4. Review by ERB

Expert Review Board (ERB), composed of parts of NIST, GSA, and ISO independent cybersecurity experts, review the application

5. Applicant Decision

FedRAMP Director reviews ERB recommendation and provides 3PAO an acceptance decision

Result: Accredited 3PAO for Use by Agency & CSPs

Please attend the Industry Day on December 16, 2011 for additional information on the program and the 3PAO application process. Please register for the event by COB Wednesday December 14, 2011 via the following URL: http://bit.ly/FedRAMP3PAOIndustryDay

CONTACTS

General Inquiries

 

Press Inquiries
(202) 501-1231

Result: Accredited 3PAO for Use by Agency & CSPs

Please attend the Industry Day on December 16, 2011 for additional information on the program and the 3PAO application process. Please register for the event by COB Wednesday December 14, 2011 via the following URL: http://bit.ly/FedRAMP3PAOIndustryDay

FedRAMP Industry Day

DATE:   December 16, 2011

TIME:    9:00 a.m. – 12:00 p.m.

LOCATION: GSA 1275 First Street, NE Washington Washington DC (New York Avenue Metro Station)

PURPOSE: To educate Industry representatives on the Federal Risk and Authorization Management Program (FedRAMP) and FedRAMP Third Party Assessment Organization (3PAO) application process.

REGISTRATION: Pre-registration is required for this event as space is limited and there is a security check at the door.  Please register for the event by COB Wednesday December 14, 2011 via the following URL: http://bit.ly/FedRAMP3PAOIndustryDay

AGENDA: FedRAMP Industry Day Agenda

Cloud Service Providers

CSPs, both commercial and government, will be able to apply directly for FedRAMP authorizations. In the coming weeks GSA will publish a concept of operations and guidance for CSPs to follow in order to meet the FedRAMP requirements.

FedRAMP will review authorizations (both from CSPs and agencies) in accordance with a priority queue the FedRAMP Joint Authorization Board will make public.

Please attend the Industry Day on December 16, 2011 for additional information on the Program. Please register for the event by COB Wednesday December 14, 2011 via the following URL: http://bit.ly/FedRAMP3PAOIndustryDay

General FedRAMP FAQ

Agency FAQ      Industry FAQ

What is FedRAMP?

Why is FedRAMP needed?

Is FedRAMP mandatory?

What are the goals of FedRAMP?

What are benefits of FedRAMP for the Federal government and taxpayer?

How will FedRAMP help make cloud computing more secure for the Federal government?

When did the FedRAMP policy take effect? 

Who is part of FedRAMP and what are their roles? 

When will FedRAMP launch services?

What restrictions are there on the use of the FedRAMP name and logo?

How does the FedRAMP assessment process work?

Is FedRAMP a new set of controls or are there new controls?

How will cloud services be prioritized for FedRAMP review?

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments.

Why is FedRAMP needed?

Currently, each agency manages its own security risks and provides security assessments and authorizations for each information technology (IT) system it uses, even if other agencies have assessed, authorized, and deployed the same system. This is duplicative, inconsistent, costly, and inefficient. The existing security assessment and authorization approach used throughout the Federal government lacks focus on visibility of real-time persistent threats and mitigation actions. In accordance with OMB policy, the Office of Citizen Services and Innovative Technology (OCSIT), within the General Services Administration (GSA), is standing up and managing FedRAMP, to provide a unified and government-wide risk management framework that addresses these problems. FedRAMP increases agency confidence in the security of cloud systems in three major areas:

  • Providing joint security assessments and authorizations based on a standardized baseline set of security controls,
  • Using approved Third Party Assessment Organizations to consistently evaluate a Cloud Service Provider’s ability to meet the security controls, and
  • Coordinating continuous monitoring services.

Is FedRAMP mandatory?

Yes. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Private cloud deployments intended for single organizations and implemented fully within Federal facilities are the only exception. Additionally, each year Executive departments and agencies must submit to the Federal CIO a listing of all existing cloud services that do not meet FedRAMP requirements with the appropriate rationale and proposed resolutions. Once FedRAMP is operational, Federal Agencies have 2 years to ensure that currently implemented cloud services or those services in an active acquisition process meet FedRAMP requirements.

What are the goals of FedRAMP?

The goals of FedRAMP are to:

  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions
  • Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations
  • Ensure consistent application of existing security practices Increase confidence in security assessments
  • Increase confidence in security assessments
    li> Increase automation and near real-time data for continuous monitoring

What are the benefits of FedRAMP for the Federal government and taxpayer?

  • Increases re-use of existing security assessments across agencies
  • Saves significant cost, time and resources – “do once, use many times”
  • Improves real-time security visibility
  • Supports risk-based security management
  • Provides transparency between government and cloud service providers (CSPs)
  • Improves trustworthiness, reliability, consistency, and quality of the federal security authorization process.

How will FedRAMP help make cloud computing more secure for the Federal government?

The FedRAMP requirements include additional enhancements and controls above the standard baseline controls in NIST Special Publication 800-53 Revision 3 for low and moderate systems. These additional controls address the unique elements of cloud computing in order to ensure all Federal data is secure in cloud environments.

When did the FedRAMP policy take effect? 

The Office of Management and Budget (OMB) signed the FedRAMP policy into effect on December 8, 2011.

Who is part of FedRAMP and what are their roles?

Department of Homeland Security (DHS)
exercises primary responsibility within the executive branch for the operational aspects of Federal agency cybersecurity with respect to the Federal information systems that fall within the Federal Information Security Management Act of 2002 (FISMA). Within FedRAMP, DHS manages continuous monitoring including creating the criteria for data feeds, developing the reporting structure, and coordinating threat notifications and incident response. 

Joint Authorization Board (JAB) – Chief Information Officers from the Department of Homeland Security (DHS), the Department of Defense (DOD), and the General Services Administration (GSA) form the JAB. The JAB will: Approve the FedRAMP security authorization requirements Determine the prioritization of review of cloud systems Approve the requirements for third party assessment organizations (3PAOs) Grant provisional authorizations for cloud services.

  • Approve and update the FedRAMP security authorization requirements
  • Determine the prioritization of review of cloud systems
  • Approve the requirements for third party assessment organizations (3PAOs)
  • Grant provisional authorizations for cloud services

Program Management Office (PMO) – The Office of Citizen Services and Innovative Technology (OCSIT), within the General Services Administration (GSA), houses the FedRAMP PMO. The PMO creates the process by which Executive departments, agencies, and cloud service providers adhere to FedRAMP requirements. Additionally, the PMO works with the JAB and CSPs to coordinate the assessment and authorization of cloud systems. In doing this work the PMO provides:

  • Standard templates for security assessments that help Executive departments and agencies satisfy FedRAMP requirements
  • Program communication and outreach
  • Contract language templates and sample service level agreements for use in cloud service acquisitions
  • Standardized agreements to govern information exchange between Executive departments and agencies and the FedRAMP PMO
  • A secure repository for Agencies to access and leverage FedRAMP provisional authorizations

Agencies use the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting, and revoking security authorizations for cloud services. An agency leverages the JAB provisional authorization to grant a cloud service provider a security authorization and an accompanying authority to operate (ATO) within their Agency. If agencies have security requirements beyond those addressed by the FedRAMP baseline controls, they should assess only that delta in order to issue the ATO. 

Third Party Assessment Organizations (3PAOs) perform initial and ongoing independent verification and validation of the security controls deployed within the Cloud Service Provider’s information system. The 3PAOs generate the security assessment packages reviewed by the JAB. The 3PAOs must submit an application to the FedRAMP PMO to be approved to conduct security assessments under FedRAMP. Agencies and CSPs are required to use approved 3PAOs.

Cloud Service Providers (CSPs) have primary responsibility for implementing the security controls within their products and services needed to meet the security requirements outlined in FedRAMP.

When will FedRAMP launch services?

Currently, the General Services Administration (GSA), the Office of Management and Budget (OMB), and partner agencies expect FedRAMP to achieve Initial Operational Capability (IOC) by 3Q FY12.

What restrictions are there on the use of the FedRAMP name and logo?

The use of the FedRAMP name and logo follows the standard used for a Service Mark. Its use is not allowed unless approved by the FedRAMP PMO. Request can be sent to questions@FedRAMP.gov. The FedRAMP PMO will provide detailed branding guidance at the conclusion of the Launch Phase.

How does the FedRAMP assessment process work?

The FedRAMP process works in four areas: applying, assessing, authorizing, and leveraging:

Applying The FedRAMP assessment process begins with an Executive department or agency or a Cloud Service Provider (CSP) submitting initiation forms with scope and boundary information for the cloud service to the FedRAMP PMO. The FedRAMP PMO evaluates the submission and makes recommendations for improving security controls and implementations. 

Assessing Next a CSP must hire a Third Party Assessment Organization (3PAO) to perform an independent assessment. The 3PAO will audit the cloud system, documents compliance with FedRAMP controls, and produce and submit a security assessment package to the FedRAMP PMO. The FedRAMP PMO reviews the submission and either recommends the package to the JAB for provisional authorization or returns it to the 3PAO for additional clarification. 

Authorizing After receiving a recommendation from the PMO, the JAB will review the security assessment package based on a prioritized approach and determines whether or not to grant provisional authorization. If the JAB grants a provisional authorization, the FedRAMP PMO notifies the CSP and updates the information repository with the information on the CSP’s system.

Leveraging Once a CSP is listed in the FedRAMP repository, the CSP then works with Executive departments and agencies to review the provisional authorization and security assessment package and the Executive department or agency determines whether to grant an Authority to Operate (ATO) based on the provisional authorization, security controls, and security assessment package. The submission of real-time data feeds and incident notifications by the CSP to the consuming agency helps achieve continuous monitoring and ongoing security control.
 

Is FedRAMP a new set of controls or are there new controls?

There are no “new” controls for FedRAMP. The FedRAMP security controls are based on NIST SP 800-53 R3 controls for low and moderate impact systems and contain controls and enhancements above the NIST baseline for low and moderate impact systems that address the unique elements of cloud computing.

How will cloud services be prioritized for FedRAMP review?

The JAB has defined the priority queue as: 

“FedRAMP will prioritize the review of cloud systems with the objective to assess and authorize cloud systems that can be leveraged government-wide. 

In order to accomplish this, FedRAMP will prioritize Secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services in alignment with the Administration’s ‘Cloud First’ policy as discussed in the ‘25 Point Implementation Plan to Reform Federal Information Technology Management’. 

When reviewing cloud systems according to this priority, there are two distinct categories of cloud systems: (1) cloud systems with existing Federal agency authority-to-operates (ATOs) and (2) cloud systems without an existing Federal agency ATO. FedRAMP will initially place higher priority with cloud services that have existing ATOs in order to develop lessons learned to provide for rapid maturation of FedRAMP. As FedRAMP matures, FedRAMP will review cloud systems equally from both categories as resources allow.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *