The federal office charged with promoting the sharing of security credentials for government cloud computing systems, known as FedRAMP, has released the first list of accredited Third Party Assessment Organizations (3PAO) approved for testing security controls.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

This approach represents the federal government’s attempt to implement a “do once, use many times” framework for security certifications.

The firms that have been given 3PAO approval thus far are:

  • COACT, Inc.
  • Department of Transportation (DOT) Enterprise Service Center (ESC)
  • Dynamics Research Corporation (DRC)
  • J.D. Biggs and Associates, Inc.
  • Knowledge Consulting Group, Inc.
  • Logyx LLC
  • Lunarline, Inc.
  • SRA International, Inc.
  • Veris Group LLC

The purpose of engaging 3PAO firm is to perform an independent security assessment of an agencies or its cloud service provider’s developed system.

According to the FedRAMPs provisions:

“In order to satisfy the FedRAMP annual security assessment requirement, CSPs can continue to use the 3PAO that they used for the initial assessment, or can alternatively select a different 3PAO for the annual security assessment.The decision regarding which 3PAO to use is entirely up to, and is initiated by agencies or cloud service provider (CSPs), according to information posted on the FedRAMP information site, hosted and supported by the General Services Administration.”

The FedRAMP program management office notes that it does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO.

More details are available at: The FedRAMP security assessment process is initiated by agencies or cloud service provider (CSPs)