make a good business better

Blog Information Security

Print Divider Print Divider Branding

What to Look for in a FedRAMP 3PAO Partner

07/29/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

Selecting a FedRAMP 3PAO is a major decision — you will be heavily relying on this partner to guide you through a very detailed process that leaves little room for misinterpretation. The right FedRAMP 3PAO will ensure a smooth sail through the lengthy certification process.

NIST Experience is a Must

Are you FedRAMP certified? Do you have 3PAO certification? The CSP you partner with should answer “yes” to both questions. What about their size?

Within the 3PAO market, there are small, 8a companies as well as huge government consulting firms. However, the size of the firm isn’t what you should focus on. What really matters here is expertise on two fronts. First, ensure that they have long track records in the FIMSA arena. It will help facilitate a seamless process, since FedRAMP has a FISMA foundation. Second, look for a firm that understands both the commercial and federal spaces. Those firms recognize that you serve two masters — running a profitable business and achieving compliance. This outlook will allow them to make recommendations that ensure companies achieve an optimal balance between compliance and security processes that are scalable and cost-effective.

When vetting providers, choose those with substantial experience with the National Institute of Standards and Technology (NIST) SP 800-53 Revision 4 catalog of controls.

Since NIST is the foundation component for FedRAMP and FISMA, a 3PAO with solid NIST background will have a better grasp of FedRAMP control intricacies. They will also possess a foundational framework that includes a deep understanding of the process and compulsory security controls — ensuring that your certification audit will run more smoothly and efficiently.

Cloud Services Knowledge

Obviously, cloud service knowledge is a crucial attribute when selecting a FedRAMP 3PAO to work with. Their staff should be conversant in cloud architecture and cloud risk-based decision-making. In an ideal scenario, a 3PAO can facilitate all aspect of the certification process including preparation and readiness assessment, security plan development and remediation, and culminating with final completion of the FedRAMP certification package.

Cross Functional Experience Yields Efficiencies

If your company has already completed FISMA or PCI audits in previous years, then it’s important to identify a FedRAMP 3PAO with knowledge in those areas as well. That experience will enable them to leverage existing documentation from previous years’ FISMA and PCI audits — consistent with the FedRAMP credo, “do once, use many times” —yielding a significant time saving advantage.

We recommend you choose a firm that can discern the difference between a government-mandated requirement and a suitable control process. Ask their perspective on risk-based versus compliance-based and rule versus principle. Knowing their approach and where they place value will help you determine if you have the right person to assist you with the certification process.

In summary, vet your 3PAO thoroughly. An experienced FedRAMP certified 3PAO is worth its weight in gold. You’ll navigate the certification process more quickly, cost-effectively and efficiently. What’s more, you’ll reduce the possibility of failing the certification audit. To learn more about FedRAMP, download a free copy of our guide below, Grow Your Business With FedRAMP Certification.

To learn more about FedRAMP Certification, download a free copy of our upcoming guide below, Grow Your Business With FedRAMP Certification. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: FedRAMP