The Federal Risk and Authorization Management Program is tweaking the requirements for independent auditors that want to assess cloud providers for government use.
Earlier this week, FedRAMP released a number of new draft requirements for third-party assessment organizations, more commonly known as 3PAOs.
Up until this point, organizations looking to gain 3PAO status went through the American Association for Laboratory Accreditation. Those interested parties are required to submit security assessment plans for software-as-a-service cloud models, which details the tests given, how reports on those tests are compiled and who is responsible conducting the test.
This week, FedRAMP released a draft copy of new rules that add some granularity to that process. Organizations looking to apply for 3PAO status must have three “resources” on an assessment, file a number of reports and accountability documents before giving test results to cloud service providers, and ask that the cloud service provider assess its work after a test is complete.
FedRAMP Director Matt Goodrich said this would be the first change to the 3PAO requirements since the program was created.
“We just wanted to make sure that we are going to provide the right level of requirements,” Goodrich said. “I think a regular update every three years is probably a relatively good cadence.”
Goodrich said the draft requirements also would instate new training guidelines that 3PAOs must complete for accreditation.
“If you look at what 3PAOs were delivering for traditional FISMA audits versus what we require at FedRAMP, and what agencies were accepting for FISMA versus what we’ll accept, the level of detail is raised,” Goodrich said. “We wanted to make sure for all of our 3PAOs, they had the appropriate staff structure to support that level of detail, but we wanted to make it clear that some of the things they needed to do before they delivered.”
There are currently about 40 accredited 3PAOs, with FedRAMP adding 10 new organizations in the past year, according to Goodrich.
FedRAMP has opened the draft rules for comment until Aug. 20. Interested parties can weigh in on FedRAMP’s website.