FedRAMP 3PAO Checklist
You already know why it is important to receive a FedRAMP certification, but what is needed in order to achieve an ATO (Authority to Operate)? A FedRAMP accredited 3PAO, (Third-Party Assessment Organization) plays a critical role in the FedRAMP certification process. A 3PAO’s job during the FedRAMP process is to assess the cloud provider’s system and ensure that it meets the security standards and requirements outlined by the FedRAMP PMO. While there are many accredited FedRAMP 3PAOs out there, it is important to remember that all 3PAOs are not equal. Having the right 3PAO helps ensure that you’re successfully meeting the security standards and ensures your experience in obtaining your FedRAMP 3PAO is as painless as possible. When choosing your 3PAO, here are a couple of questions you can ask and considerations to make to ensure your organization has the best 3PAO for your unique requirements.
1. Does the 3PAO have experience advising and prepping organizations for an assessment?
3PAO’s can sit on the other side of the fence as advisors and project managers for well-healed CSP’s in need of specialized help, or they can be assessment representatives for the agency and FedRAMP, but not both. Quality 3PAOs don’t just do assessment work. The best 3PAOs are also contracted as advisors to companies that need assistance preparing for the technical rigor of a FedRAMP assessment. Even if you don’t need advisory services, you’ve found the right 3PAO if their depth of knowledge about system design and FedRAMP requirements makes them arguably more valuable as security engineering partners than auditors.
2. Has the 3PAO worked with the sponsoring agency before?
Very few CSPs fail to get accreditation for FedRAMP after they’ve obtained their sponsor agency’s ATO. If a 3PAO has past performance assessing for a particular agency, then they will have familiarity with the PMO and be ready to comply with any bespoke processes & procedures the agency requires during an assessment. This will help ensure timelines and budgets are met.
3. Understand if you have a dedicated assessment team and who they are?
A "bait and switch" approach is common in the FedRAMP 3PAO market. Interviews often showcase assessors with a vast amount of experience to close a deal, but often the more junior assessors are assigned the work because it increases the 3PAO profit margins. Don’t fall into this trap. Have the prospective 3PAO provide resumes for the PM and assessors that are assigned to your project. Don’t go with a 3PAO that has “floating resources” because odds are that you’ll have inexperienced and inefficient assessors moved to your account as soon as the real work starts.
4. Does the 3PAO offer modular assessment services, or is it an “all in” quote?
The key to an efficient, cost-effective FedRAMP certification is to adapt to any issues in stride. If a 3PAO only quotes you for a full assessment on a tightly constrained period of performance, then you risk spending a ton of money for an assessment that could very well fail over the first findings if you can’t adapt and remediate in time. 3PAOs that care about the success of the evaluation will allow a CSP to purchase a gap assessment before the observation, technical analysis, and pen testing take place. The 3PAO can flag any critical findings from a cursory documentation review and through stakeholder interviews, then allow the CSP to remediate before going through the entire assessment exercise.
5. How many assessments has the 3PAO accomplished?
Experience breeds efficiency. Nobody wants their system to be the first one a 3PAO evaluates. You can look up the number of assessments a 3PAO has done on the FedRAMP website but be careful. The firms at the top of the list got there by initially underpricing the market to bolster their experience. Now they are looking to make up that lost revenue by charging higher prices for all their current work. Even though the end goal is the same, assessments can vary wildly in price and quality, so take your time interviewing candidates and gather multiple quotes. The 3PAO that doesn’t have as much experience, but is willing to spend the time with you pre-sale because the business means something to them, is typically the best bet.
6. Is the 3PAO experienced in IT systems management & engineering instead of just auditing?
FedRAMP is one of the most technically focused, prescriptive security accreditations available. Therefore, it’s helpful for a 3PAO to staff experienced assessors with a support team of well-rounded IT engineering and systems management professionals to help provide technical context and bridge the understanding gap in understanding between the CSP IT team and the 3PAO.
MindPoint Group: A cybersecurity partner you can trust
At MindPoint Group, we pride ourselves on exceeding our customers’ expectations. We are not just auditors — we’re cloud security professionals who understand the challenges of bringing innovative technologies to the Federal Government. Unlike a typical FedRAMP firm, we’re able to set you up for long-term success. Our specialization in cybersecurity and our experience directly in the field allow us to leverage our knowledge to help you accelerate FedRAMP certification. Learn more about our FedRAMP 3PAO services.