The General Services Administration released a request for information to privatize the Federal Risk and Authorization Management Program’s Third Party Assessment Organization.
As FedRAMP approaches full operational capability, GSA plans to contract with a privatized accreditation body in order to manage the 3PAO process.
According to FedBizOps, the RFI seeks feedback, input and changes to the 3PAO process “for the betterment of FedRAMP.”
Vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP’s 168 security controls to these third-party assessment organizations. The 3PAO organizations do initial assessments, test the controls and provide evidence of compliance.
The 3PAOs then review applications and submit recommendations to the Joint Authorization Board, which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security.