For any CSPs reading this, you are probably wondering: “How do I select the right 3PAO?” That’s where KCG comes in – and we should know because we were selected by FedRAMP as a 3PAO.
CSPs need to select a 3PAO that is authorized to perform high quality security assessments and will provide FedRAMP with an accurate security risk analysis. Select a 3PAO that has these qualifications:
- Expertise in Preparing for and Conducting a Security Assessment
There’s a strong relationship between the expertise needed to ready a CSP for an assessment and conducting the assessment. FedRAMP will change how many federal agencies view the CPS’s security authorization packages, in particular related to the level of detail incorporated into System Security Plans and security assessment results. Failing to meet the JAB’s expectations at each of the FedRAMP review and decision points increases the cost and time associated with achieving the provisional authorization. Identify a 3PAO with exposure to a methodology used to develop readiness assessment materials – this helps to incorporate FedRAMP’s expectations into the readiness review and the auditor’s skeptical eye.
- In-Depth Knowledge of FedRAMP Standards and Compliance Requirements
There are security controls that agencies and CSPs must implement within a cloud computing environment to satisfy FedRAMP security requirements. A good 3PAO will be able to assess and cover all aspects of a CSP’s security program, and then trace back to each control in NIST SP 800-53 Rev 3, and more importantly, to all aspects of each of the assessment procedures in NIST SP 800-53A Rev 1.
- Involvement in Setting Industry Standards
The standards for assessments aren’t created in a vacuum. Instead, a 3PAO Special Interest Group exists, which helps to drive the direction that 3PAOs take with regard to assessment execution, in general, and how penetration testing is performed as part of the assessment. A good 3PAO will be actively involved in this special interest group which sets these standards.
Ultimately, a CSP will need to select a 3PAO with in-depth experience implementing the right policies, processes and technologies to achieve an active security posture. For more information about FedRAMP and how KCG can help your organization, click here.