CSPs: Here's How to Choose the Right FedRAMP 3PAO to Partner With

Ingrid Velasquez-Woodley | Ingrid Woodley | Ingrid Velasquez | 38North Security | cybersecurity marketing
Elizabeth Lopez
Cloud Security Technical Writer

Elizabeth holds certifications in cybersecurity and technology, including credentials as a CompTIA Security+ professional, EC-Council Certified Ethical Hacker (CEH), and Splunk Certified User.

In her current role as a cloud security technical writer, Elizabeth collaborates with 38North advisors to develop documentation compliant with federal guidelines, best practices, and requirements, including FedRAMP, FISMA, and CMMC.

Elizabeth specializes in document management, version control, writing, and editing.

Meet the Author

Choosing the right Third-Party Assessment Organization (3PAO) is critical for ensuring a thorough and reliable assessment of your information systems if you need to comply with standards like FedRAMP (Federal Risk and Authorization Management Program). (That is, after having an amazing partner like 38North Security help get you ready.)

Another way to think about is: Finding the right 3PAO is like having an experienced trail guide to lead you along the complicated, winding path of FedRAMP authorization.

But how do you find a 3PAO to work with? What does a good 3PAO look like? What can you expect during assessment, besides them poking holes in your cloud services? Is your working relationship with them going to be adversarial?

Learn more: What to Expect When You’re Expecting a FedRAMP 3PAO Assessment

Let’s get into it.

So What Does a 3PAO Do?

A 3PAO is an independent, accredited organization that performs initial and periodic assessments of cloud services to evaluate their compliance with the FedRAMP security requirements.

When assessing federal risk, a 3PAO examines various aspects of an organization’s information systems and security practices. These include but are not limited to:

  1. Security controls implementation
  2. Risk management framework (RMF) compliance
  3. Security system plan (SSP) review
  4. Incident response and recovery
  5. Continuous monitoring
  6. Access control
  7. Configuration management
  8. Data protection and encryption
  9. Vulnerability management
  10. Audit and accountability
  11. Personnel security
  12. Physical security

Learn how to achieve compliance with FedRAMP security requirements. Get in touch with a cybersecurity expert today.

Here’s a list of tasks you can expect them to perform during a FedRAMP audit:

1. Pre-Assessment Activities:

  • Planning and Scoping: A 3PAO defines the scope of the assessment and develops an assessment plan.
  • Documentation Review: They conduct an initial, high-level review of the organization’s documentation, including the SSP, policies, and procedures.

2. Security Assessments and Compliance Audits

  • Risk Assessments: A 3PAO provides an independent, objective assessment of an organization’s security controls, policies, and procedures. This helps ensure that the organization meets the required FedRAMP security standards. Comprehensive risk assessments also identify potential security risks and vulnerabilities within the organization’s information systems.
  • Control Assessments: Evaluate the effectiveness of security controls implemented to mitigate identified risks.
  • Formal Audits: Conduct formal compliance audits against FedRAMP security standards (also ISO 27001, SOC 2, etc. depending on the organization) to determine whether the organization meets all necessary compliance requirements.

3. Documentation and Reporting

  • Detailed Reporting: Provide detailed reports on their findings, including any vulnerabilities or deficiencies and recommendations for remediation.

4. Technical Testing

  • Penetration Testing: Perform penetration testing to identify and exploit potential vulnerabilities in the organization’s systems.
  • Vulnerability Scanning: Conduct regular vulnerability scans to detect and address security weaknesses.

Depending on whether a 3PAO also offers other services, such as ones related to consulting, they may also perform tasks like continuous monitoring, audit prep, document development (such as System Security Plans (SSPs), security assessment reports, and Plan of Action and Milestones (POA&M), and more).

Learn more: How Continuous Monitoring Supports FedRAMP Readiness

We Know What You’re Wondering: Is a 3PAO Out to Get Me?

The 3PAO assessment process is not inherently antagonistic. Understandably though, it can feel that way, because it is designed to be thorough and rigorous. This is to ensure that your cloud service offering (CSO or, your product) meets stringent security standards required for a FedRAMP ATO. Here are some key points to understand about the nature of a FedRAMP audit:

  1. Objective and Independent: The 3PAO assessment is meant to be an objective, independent evaluation of a CSO’s compliance with FedRAMP security controls. The goal is to provide an unbiased assessment of your security posture.
  2. Collaborative Approach: While the assessment is rigorous, it is typically conducted in a collaborative manner. Cloud service providers (CSPs) and 3PAOs work together to identify areas of compliance and areas needing improvement. Open communication and cooperation are encouraged to address any findings and mitigate risks.
  3. Thorough and Detailed: The process involves a detailed review of the CSP’s security documentation, policies, procedures, and technical controls. It includes interviews, examinations of evidence, and testing of security measures. The thoroughness ensures that all compliance requirements are adequately addressed.
  4. Constructive Feedback: 3PAOs provide constructive feedback to CSPs, highlighting areas of non-compliance and offering recommendations for remediation. This feedback is intended to help CSPs enhance their security posture and achieve compliance with FedRAMP security.
  5. Professional and Respectful: 3PAOs are expected to conduct their assessments professionally and respectfully. While the process is stringent, it should not be adversarial. The aim is to ensure that CSPs can secure federal data effectively.
  6. Continuous Improvement: The assessment process is part of a continuous improvement cycle. CSPs are expected to address any findings and implement corrective actions. Follow-up assessments may be conducted to ensure ongoing compliance and improvement.

Learn more: How to Prevent Findings for Common Cybersecurity Audit Evidence Hazards

In short, the 3PAO assessment process is designed to be rigorous but not antagonistic. It is a professional, collaborative process focused on ensuring that CSOs meet high security standards to protect federal information. CSPs can prepare for the assessment by thoroughly understanding FedRAMP requirements, maintaining clear documentation, and fostering open communication with the 3PAO.

Where Do I Find a 3PAO?

There are a few ways you can look for a list of 3PAOs that you can then choose from:

  • The FedRAMP Marketplace is a great place to start. It lists all the companies officially recognized as 3PAOs. Here is how you can navigate the FedRAMP Marketplace to find a 3PAO:
    1. Visit the FedRAMP Marketplace:
      • Go to the FedRAMP Marketplace.
    2. Navigate to the 3PAO Section:
      • On the FedRAMP Marketplace homepage, look for a link or section that mentions “3PAOs” or “Third-Party Assessment Organizations.” This section will provide a list of all accredited 3PAOs.
    3. Review the List of Accredited 3PAOs:
      • The list will include details about each 3PAO, such as their contact information, website, and accreditation status. Review this information to identify potential 3PAOs that fit your requirements.
    4. Contact the 3PAOs:
      • Reach out to the 3PAOs you are interested in to discuss your specific needs, obtain quotes, and understand their assessment processes.
  • Search Online: You can use search engines to look for 3PAOs. Keywords like “FedRAMP 3PAO list” or “accredited 3PAOs” will direct you to relevant information.
  • FedRAMP Website: The official FedRAMP website provides resources and guidance, including information about 3PAOs and the assessment process.
  • Networking and Recommendations: Contact industry professionals, attend relevant conferences, and join forums or groups related to FedRAMP and cloud security. Networking can provide insights and recommendations for reputable 3PAOs.

How Do I Choose the Best 3PAO?

Here are some key factors to consider when choosing a 3PAO:

Independence and Qualifications

Per FedRAMP requirements, 3PAOs must be fully independent from any CSP they assess. In other words, they can’t work directly for the CSP that is getting the assessment.

They can only operate as Type A (third-party) or Type C (internal party contracted) inspection bodies. The 3PAO’s personnel must meet rigorous qualification standards around cybersecurity expertise, training, certifications and years of experience.

Track Record with FedRAMP

Look at the 3PAO’s past authorizations, particularly for cloud offerings similar in complexity to yours.

Do they have previous experience successfully guiding other CSPs through the FedRAMP process? How many have been authorized?

A 3PAO with deep FedRAMP security experience can help your authorization go more smoothly.

Comprehensive Methodology

3PAOs must demonstrate a consistent, high-quality methodology for conducting assessments in line with FedRAMP’s exacting standards.

Evaluate their processes for the readiness assessment, full security tests, creating deliverables like the risk assessment report (RAR) and security assessment report (SAR), remediating issues identified, and working with the FedRAMP program management office.

Availability and Bandwidth

The FedRAMP process is intensive with very strict timelines. CSPs must choose a 3PAO that has the capacity and availability to dedicate sufficient, experienced staff to your assessment based on your system’s size and complexity. If the firm seems overextended, your authorization could face delays.

Costs and Pricing Structure

Hiring a 3PAO is typically the biggest vendor cost during the FedRAMP certification process. Get clear quotes from 3PAOs on their pricing and understand what it covers – the readiness assessment, gap analysis, security tests, audit support and reports, etc. Predict the total cost as accurately as possible.

Learn more: Understanding FedRAMP Certification Cost: A Breakdown of Expenses and Tips to Reduce Them

Maintaining FedRAMP Standards

It’s critical the 3PAO continuously meets all of FedRAMP’s obligations around processes, personnel qualifications, independence, and quality. A 3PAO that fails to uphold FedRAMP standards can have its recognition status suspended or revoked, derailing your authorization.

In extreme cases, CSPs can have their FedRAMP authorization revoked if their 3PAO’s recognition status is revoked.

Steps to Choosing the Right 3PAO

  1. Define Your Requirements: Clearly outline your assessment needs, including the specific standards, scope, and objectives.
  2. Research and Shortlist: Conduct thorough research to identify potential 3PAOs. Shortlist those that meet your initial criteria.
  3. Request Proposals: Contact the shortlisted 3PAOs and request detailed proposals.
  4. Evaluate Proposals: Evaluate the proposals based on the factors mentioned above.
  5. Interview and Verify: Interview the top candidates and verify their credentials, experience, and references.
  6. Make a Decision: Choose the 3PAO that best meets your needs and provides the best overall value.

Choosing the right 3PAO is one of the most important decisions for a CSP’s FedRAMP pursuit. Thoroughly vetting 3PAOs on their qualifications, methodologies, bandwidth and pricing will put your authorization on track while selecting an underqualified firm can lead to major delays or failures.

When you really dig into it and do some diligent evaluation, you can find the third-party assessment organization (3PAO) that’s best equipped to give your cloud system a comprehensive security assessment and effectively demonstrate its robust security posture.

Selecting the right 3PAO is a crucial decision that shouldn’t be taken lightly. Be sure to thoroughly evaluate each potential 3PAO’s qualifications, experience, and methodology to ensure they can provide an accurate and comprehensive assessment tailored to your specific needs.

Here at 38North Security, we can help you feel confident taking this next step in your FedRAMP authorization journey by having our cloud and compliance experts evaluate your system, identify any gaps, or just answer questions. Give us a call!

About the Author
Ingrid Velasquez-Woodley | Ingrid Woodley | Ingrid Velasquez | 38North Security | cybersecurity marketing
Elizabeth Lopez
Cloud Security Technical Writer

Elizabeth holds certifications in cybersecurity and technology, including credentials as a CompTIA Security+ professional, EC-Council Certified Ethical Hacker (CEH), and Splunk Certified User.

In her current role as a cloud security technical writer, Elizabeth collaborates with 38North advisors to develop documentation compliant with federal guidelines, best practices, and requirements, including FedRAMP, FISMA, and CMMC.

Elizabeth specializes in document management, version control, writing, and editing.

Meet the Author