The Federal Risk and Authorization Management Program (FedRAMP) Program Management Office recently released a revised version of its Obligations and Compliance Standards document for third party assessors – the organizations that conduct reviews and enable security authorizations for cloud service offerings to the federal government. The revised document seeks to further define the performance and compliance expectations for third party assessors (3PAOs) and incorporates changes stemming from the FedRAMP Authorization Act, which was enacted as part of the Fiscal Year 2023 National Defense Authorization Act and codified FedRAMP. The revisions reflect recent trends in cyber and supply chain security, focusing on identifying potential foreign influence and enhancing transparency with respect to the activities conducted by the third party assessors.
Third party assessment organizations (3PAO) are accredited by the American Association for Laboratory Accreditation. The accreditation process ensures 3PAOs satisfy the required quality, independence, and knowledge requirements to perform independent assessments required by FedRAMP for authorization of cloud service offerings. Once an organization becomes an accredited 3PAO, it must comply with the Obligations and Performance Standards in order to maintain its accreditation, which includes receiving a favorable annual review and having a full on-site reassessment every two years by the American Association for Laboratory Accreditation. The existing compliance standards for a 3PAO include being independent from any cloud service provider it assesses, performing assessments that meet a high standard of independence, quality, accuracy, integrity, and timeliness, and demonstrating knowledge of the Federal Information Security Management Act and FedRAMP-specific requirements when conducting assessments.
One change to the Obligations and Compliance Standards stems from the FedRAMP Authorization Act, which prescribes a reporting requirement for 3PAOs regarding a declaration of foreign interests. 3PAOs performing independent assessments for FedRAMP must annually submit information relating to any foreign interest, foreign influence, or foreign control of the 3PAO. 3PAOs also must report a change in foreign ownership or control within 48 hours of the change. This reporting requirement includes a certification from the 3PAO regarding the accuracy and completeness of any information submitted under this requirement.
The Obligations and Compliance Standards also include new personnel requirements prescribed in the American Association for Laboratory Accreditation publication R311, Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP). These include personnel requirements relating to years of experience, training, certification qualifications, and technical proficiency activities. If a 3PAO submits deliverables that were prepared by personnel who do not meet the personnel requirements, the deliverables will be determined to be invalid, will be rejected, and will need to be redone by qualified personnel.
Another updated requirement for 3PAOs requires notification to all relevant stakeholders when a 3PAO’s performance becomes subject to review by the FedRAMP Program Management Office. If the FedRAMP Program Management Office determines that a 3PAO’s performance does not meet the quality and performance expected by the federal government, the Program Management Office has the authority and responsibility to require the 3PAO to complete corrective actions. If the 3PAO has significant deficiencies in performance or fails to complete agreed upon corrective actions, the Program Management Office may revoke the 3PAO’s status as an accredited FedRAMP assessor.
Changes to the requirements and expectations for 3PAOs under the FedRAMP program further demonstrate a push by the federal government to enhance its cybersecurity programs and related assessments. The FedRAMP changes are being made at the same time the Department of Defense (DoD) is rolling out its Cybersecurity Maturity Model Certification (CMMC) program, which will require third party cybersecurity assessments of certain DoD contractor and subcontractor information systems handling sensitive government information – the CMMC program has similarly rigorous requirements for its cybersecurity assessors. Changes to the requirements for FedRAMP assessors complement those contemplated under CMMC, and may help facilitate reciprocity between the programs, a concept DoD has discussed but not yet confirmed. We will continue to monitor and report on updates to FedRAMP and the CMMC program as they occur.