Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
FedRAMP names organizations to review vendors' cloud cybersecurity
Wednesday - 5/16/2012, 5:22am EDT
The third-party assessment organization (3PAO) will validate and attest to the quality and compliance of the cloud service provider's security package, according to the FedRAMP Concept of Operations issued in February.
The 3PAOs are:
- COACT, Inc.
- Department of Transportation's Enterprise Service Center
- Dynamics Research Corporation
- J.D. Biggs and Associates, Inc.
- Knowledge Consulting Group, Inc.
- Logyx LLC
- Lunarline, Inc.
- SRA International Inc.
- Veris Group, LLC
The 3PAOs will have a harder time offering cloud services to the government. GSA issued conflict of interest rules in December.
Dave McClure, associate administrator, Citizen Services and Innovative Technologies, GSA
All vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP's 168 security controls to these third-party assessment organizations.
The 3PAOs will review the documents and submit their recommendation to the Joint Authorization Board (JAB), which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security. After reviewing the 3PAO analysis, the JAB decides whether to grant the company an initial authority to operate. The final authority to operate must come from the agency, which is buying the cloud services.
"Under FedRAMP, cloud service provider authorization packages must include an assessment by an accredited 3PAO to ensure a consistent assessment process," said FedRAMP's 3PAO program description document. "Accredited 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance and play an on-going role in ensuring that CSPs meet requirements."
Along with the list of vendors, GSA issued advice on how to select a third-party assessment organization (3PAOs).
"The decision regarding which 3PAO to use is entirely up to the CSP," GSA wrote on its website. "FedRAMP does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO."