When it comes to the federal cloud, things are moving quickly. It wasn’t so long ago that an agency needing cloud services would approach a Cloud Service Provider (CSP) and contract for services.  The agency was responsible for paying for assessment that would ensure the CSP met all applicable federal security standards.  Under this model, CSPs would have to be certified by each agency wishing to engage them for cloud services.

Flash forward to today.  FedRAMP has changed the rules.  Now, CSPs are required to hire a Third Party Assessment Organization (3PAO) to conduct an assessment that the 3PAO will provide to FedRAMP’s Joint Authorization Board (JAB) assuring the JAB that the CSP should receive provisional Authority to Operate.  Once a CSP is approved, then they have the green light to sell to the government.

For any CSPs reading this, you are probably wondering:  “How do I select the right 3PAO?”  That’s where KCG comes in – and we should know because we were selected by FedRAMP as a 3PAO. 

CSPs need to select a 3PAO that is authorized to perform high quality security assessments and will provide FedRAMP with an accurate security risk analysis.  Select a 3PAO that has these qualifications:

  • Expertise in Preparing for and Conducting a Security Assessment

There’s a strong relationship between the expertise needed to ready a CSP for an assessment and conducting the assessment.  FedRAMP will change how many federal agencies view the CPS’s security authorization packages, in particular related to the level of detail incorporated into System Security Plans and security assessment results.  Failing to meet the JAB’s expectations at each of the FedRAMP review and decision points increases the cost and time associated with achieving the provisional authorization.  Identify a 3PAO with exposure to a methodology used to develop readiness assessment materials – this helps to incorporate FedRAMP’s expectations into the readiness review and the auditor’s skeptical eye. 

  • In-Depth Knowledge of FedRAMP Standards and Compliance Requirements

There are security controls that agencies and CSPs must implement within a cloud computing environment to satisfy FedRAMP security requirements.  A good 3PAO will be able to assess and cover all aspects of a CSP’s security program, and then trace back to each control in NIST SP 800-53 Rev 3, and more importantly, to all aspects of each of the assessment procedures in NIST SP 800-53A Rev 1.

  • Involvement in Setting Industry Standards

The standards for assessments aren’t created in a vacuum.  Instead, a 3PAO Special Interest Group exists, which helps to drive the direction that 3PAOs take with regard to assessment execution, in general, and how penetration testing is performed as part of the assessment.  A good 3PAO will be actively involved in this special interest group which sets these standards.  

Ultimately, a CSP will need to select a 3PAO with in-depth experience implementing the right policies, processes and technologies to achieve an active security posture. For more information about FedRAMP and how KCG can help your organization, click here.