Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
FedRAMP names organizations to review vendors' cloud cybersecurity
Wednesday - 5/16/2012, 5:22am EDT
The third-party assessment organization (3PAO) will validate and attest to the quality and compliance of the cloud service provider's security package, according to the FedRAMP Concept of Operations issued in February.
The 3PAOs are:
- COACT, Inc.
- Department of Transportation's Enterprise Service Center
- Dynamics Research Corporation
- J.D. Biggs and Associates, Inc.
- Knowledge Consulting Group, Inc.
- Logyx LLC
- Lunarline, Inc.
- SRA International Inc.
- Veris Group, LLC
The 3PAOs will have a harder time offering cloud services to the government. GSA issued conflict of interest rules in December.
Dave McClure, associate administrator, Citizen Services and Innovative Technologies, GSA
All vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP's 168 security controls to these third-party assessment organizations.
The 3PAOs will review the documents and submit their recommendation to the Joint Authorization Board (JAB), which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security. After reviewing the 3PAO analysis, the JAB decides whether to grant the company an initial authority to operate. The final authority to operate must come from the agency, which is buying the cloud services.
"Under FedRAMP, cloud service provider authorization packages must include an assessment by an accredited 3PAO to ensure a consistent assessment process," said FedRAMP's 3PAO program description document. "Accredited 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance and play an on-going role in ensuring that CSPs meet requirements."
Along with the list of vendors, GSA issued advice on how to select a third-party assessment organization (3PAOs).
"The decision regarding which 3PAO to use is entirely up to the CSP," GSA wrote on its website. "FedRAMP does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO."