FedRAMP PMO Releases First Set of 3PAOs

Late today the FedRAMP Program Management Office released the first list of certified Third Party Assessment Organizations (3PAOs). These companies are accredited to perform initial and periodic assessment of cloud service provider (CSP) systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations must include an assessment by an accredited 3PAO to ensure a consistent assessment process. he initial set of 3PAOs announced today are (see http://www.gsa.gov/portal/content/131991):

Organization	POC Name	POC Email
COACT, Inc.	Brian Pleffner	bpleffner@coact.com
Department of Transportation (DOT) Enterprise Service Center (ESC)	Douglas Holland	doug.holland@faa.gov
Dynamics Research Corporation (DRC)	Preston Gale	pgale@drc.com
J.D. Biggs and Associates, Inc.	James Biggs	james@jdbiggs.com
Knowledge Consulting Group, Inc.	Sherrie Nutzman	sherrie.nutzman@knowledgecg.com
Logyx LLC	Robert Dumais	rdumais@logyx.com
Lunarline, Inc.	Waylon Krush	waylon.krush@lunarline.com
SRA International, Inc.	William Bell	will_bell@sra.com
Veris Group, LLC	Douglas Greise	dgreise@verisgroup.com

In becoming a 3PAO, these companies successfully completed a NIST coordinated conformity assessment process. This conformity assessment process qualifies 3PAOs according to two requirements:

• Independence and quality management in accordance with ISO standards
• Technical competence through FISMA knowledge testing

( Thank you. If you enjoyed this article, get free updates by email or RSS - KLJ )

FedRAMP Releases Updated Security Assessment Plan Templates

Last week the GSA FedRAMP Program Office released the latest version of the cloud computing Security Assessment Plan (SAR) template.  This document is the most recent step toward the Federal governments goal of establishing FedRAMP initial operating Capability by June 2012.

The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).

This release also includes templates for:

• Information Technology Contingency Plan 
• Control Implementation Summary (CIS)
• eAuthentication
• Plan of Action and Milestones (POA&M)
• Rules of Behavior
• Privacy Threshold Analysis and Privacy Impact Assessment
• Security Assessment Plan; and
• FedRAMP System Security Plan

( Thank you. If you enjoyed this article, get free updates by email or RSS - KLJ )