Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
Shows & Panels
FedRAMP names organizations to review vendors' cloud cybersecurity
Wednesday - 5/16/2012, 5:22am EDT
The third-party assessment organization (3PAO) will validate and attest to the quality and compliance of the cloud service provider's security package, according to the FedRAMP Concept of Operations issued in February.
The 3PAOs are:
- COACT, Inc.
- Department of Transportation's Enterprise Service Center
- Dynamics Research Corporation
- J.D. Biggs and Associates, Inc.
- Knowledge Consulting Group, Inc.
- Logyx LLC
- Lunarline, Inc.
- SRA International Inc.
- Veris Group, LLC
The 3PAOs will have a harder time offering cloud services to the government. GSA issued conflict of interest rules in December.
Dave McClure, associate administrator, Citizen Services and Innovative Technologies, GSA
All vendors who want to provide cloud services to the government must first submit documents detailing how they meet FedRAMP's 168 security controls to these third-party assessment organizations.
The 3PAOs will review the documents and submit their recommendation to the Joint Authorization Board (JAB), which is made up of the chief information officers from GSA and the departments of Defense and Homeland Security. After reviewing the 3PAO analysis, the JAB decides whether to grant the company an initial authority to operate. The final authority to operate must come from the agency, which is buying the cloud services.
"Under FedRAMP, cloud service provider authorization packages must include an assessment by an accredited 3PAO to ensure a consistent assessment process," said FedRAMP's 3PAO program description document. "Accredited 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance and play an on-going role in ensuring that CSPs meet requirements."
Along with the list of vendors, GSA issued advice on how to select a third-party assessment organization (3PAOs).
"The decision regarding which 3PAO to use is entirely up to the CSP," GSA wrote on its website. "FedRAMP does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO."