The U.S. General Services Administration will stop accepting new and re-submitted applications for organizations applying to become Third Party Assessment Organizations for the Federal Risk and Authorization Management Program on March 25.
Organizations that cannot meet the cutoff date or are denied can apply for accreditation to the private sector body after the transition period, GSA said.
Last month, GSA released a request for information to privatize the 3PAO process.
FedRAMP is initiating the necessary steps to transition to a private entity as described in the FedRAMP 3PAO program description released in October 2011.
Vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP’s 168 security controls to these third-party assessment organizations. The 3PAO organizations do initial assessments, test the controls and provide evidence of compliance.
The 3PAOs then review applications and submit recommendations to the Joint Authorization Board, which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security.