The General Services Administration will begin accepting applications Jan. 9, 2012, for the first group of companies to be chosen as Third Party Assessment Organizations (3PAO) for the newly launched FedRAMP initiative, also known as the Federal Risk and Authorization Management Program program.

Officials for GSA and the National Institute of Standards and Technology made the joint announcement during the “Industry Forum on FedRAMP and Third Party Assessment Organizations”, held December 16 at GSA headquarters in Washington, DC. The half-day session presented the most up-to-date guidance for industry representatives on the FedRAMP Third Party Assessment Organization (3PAO) application process.

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, GSA’s Kathy Conrad told the packed forum.

“This approach uses a ‘do once, use many times’ framework that will save cost, time, and staff required to conduct redundant agency security assessments.”

The 3PAOs are critical to FedRAMP’s success because they will be the independent assessors of whether a cloud service provider has met the 297 agreed upon FedRAMP security controls so they can get an authority to operate (ATO). Getting an ATO is akin to having the “Good Housekeeping Seal” of approval, albeit on a much more demanding set of criteria. FedRAMP covers low and moderate impact systems and is mandatory for agencies with few exceptions.

In her opening comments, Conrad laid out the FedRAMP timetable stressing that Jan. 20, 2012 is the final deadline to be included in the first group of companies to have the opportunity to be accredited by FedRAMP.

To ensure transparency, companies will be reviewed in the order of applications received and results of whether a company has been chosen to be a 3PAO will be published on the FedRAMP website (www.fedramp.gov) most likely in March 2012. After January 20, 3PAO accreditations will be done as applications are received.

The timeline: (all end times 5 PM ET)

• Dec. 8, 2011 – Fed CIO Steve VanRoekel launches FedRAMP program
• Dec. 16, 2011 – Industry Day on 3PAO Application Process
• Dec. 23, 2011 – Deadline for questions for first round of 3PAO applications
• Jan. 6, 2012 – FedRAMP publishes responses to December 23 questions
• Jan. 9, 2012 – First day for acceptance of FedRAMP applications for first round
• Jan. 20, 2012 – Last day for acceptance of FedRAMP applications for first round
• March, 2012 (estimated) – First group of 3PAOs announced on www.fedramp.gov

Conrad could not say exactly how long the application process would be, but estimated it would take 30-45 days. She noted the application and approval process is based on NIST methodology. An Expert Review Board (ERB) made up of GSA and NIST representatives will review the applications before sending them to the Joint Authorization Board (JAB) made up of CIOs and experts from the Departments of Defense and Homeland Security, and GSA to grant the ATO.

Katie Lewin, Federal Cloud Computing Initiative Director at GSA told the audience that “FedRAMP will improve the trustworthiness, reliability, consistency and quality of the federal security authorization process.”

Matt Goodrich, FedRAMP Program Manager added that FedRAMP is “going for consistency and quality in the process. We want to be trustworthy and reusable and give near real time assurance, so agencies know what to expect.”

Conrad, Lewin and Goodrich all stressed during extensive question and answer session that FedRAMP is not a procurement tool; it is a security and risk assessment tool. Further, FedRAMP will not be creating any new standards; DHS, NIST and others will provide the appropriate standards and controls.

Sharing the podium with GSA were NIST’s Gordon Gillerman, Arnold Johnson and Lisa Carnahan, who provided details and answered questions on what the application process entails.

One big question was can a company be both a CSP and 3PAO. Gillerman answered saying companies cannot be 3PAOs and cloud service providers at the same time because independence, impartiality and integrity are crucial to the process. If a company wants to be a Type A 3PAO then they cannot do anything – including consulting and training – for the companies that hire them to do the FedRAMP assessment. A Type B 3PAO can provide consulting and training services.

But Gillerman warned on more than one occasion, “If you plan on being both a CSP and 3PAO be sure to focus on having “a very significant organizational firewall” that “we are not going to take lightly.”

Conrad closed the session by saying that there is no limit to the number of companies that can be 3PAOs.

“We are not trying to make the process tough to limit participation; we want as many companies as possible and make it streamlined as possible. We have tried to make this make it as reasonable as possible while retaining the appropriate rigor.”