Before Third Party Assessment Organizations (3PAOs) can perform security assessments of Cloud Service Providers (CSPs) for FedRAMP, they need the approval of a nonprofit in Frederick, Md.
The American Association for Laboratory Accreditation, or A2LA, isn’t a household name in cybersecurity. But with Federal agencies spending billions of dollars on cloud computing, A2LA has an increasingly important role.
“Everyone working in cybersecurity knows what FedRAMP is, but they aren’t as familiar with A2LA,” said Ashley Kamauf, senior accreditation officer at A2LA.
FedRAMP contracted with A2LA in 2013 to accredit 3PAOs that work with the CSPs selling cloud computing products to agencies. Booz Allen Hamilton was the first 3PAO to earn A2LA accreditation, which the company received in July 2014.
The accreditation process from application to accreditation typically takes 3PAOs four to six months to complete.
A2LA ensures that 3PAOs meet the ISO/IEC 17020 standard. “Our goal is to confirm compliance,” Kamauf said. “We’re ensuring that 3PAOs are meeting all the requirements, and we help them understand how the general requirements apply to them specifically. The ISO/IEC 17020 standard can be very vague at times and our assessors help to ensure all requirements are being met by the 3PAOs.”
A2LA also makes sure the 3PAOs meet all FedRAMP-specific requirements and all technical requirements, including the System Security Plan (SSP) that outlines all security controls and the National Institute of Standards and Technology’s 800-53 document, which details security and privacy controls for Federal systems.
As part of A2LA’s assessment of the 3PAOs, they have access to the people within each 3PAO responsible for working with CSPs to ensure that they have the technical competence required to perform a FedRAMP security assessment. Before A2LA took over accreditation from the Joint Authorization Board (JAB) and the FedRAMP Program Management Office (PMO), the accreditation process did not include direct access to personnel.
A2LA’s management of the 3PAO assessment process includes helping previously recognized 3PAOs already in the program to meet the additional requirements put in place when A2LA took over accreditation. To date, 19 3PAOs have completed the new accreditation through A2LA, and three are pending. All 3PAOs are likely to complete the new accreditation process by the end of the year.
“We look at accreditation as something that’s strengthening the market. We guide 3PAOs through the rigorous assessment process to level the playing field,” Kamauf said. “The goal of this accreditation is that you can go on the FedRAMP website, see a list of 3PAOs, pick any one of them, and you can expect the same level of service across the board.”
FedRAMP released a significant programmatic update in a set of draft requirements over the summer.
“The quality portion of the assessment is most likely to be affected by the updated requirements. The ISO/IEC 17020 standard sets the general requirements and now FedRAMP is strengthening their specific requirements to increase the robustness of the program. This will not only make it easier for 3PAOs to understand the requirements, but also for the A2LA assessors to enforce them,” Kamauf said.
One example is that the ISO/IEC standard specifies that “the inspection body shall define and document the competence requirements for all personnel involved in inspection activities, including requirements for education, training, technical knowledge, skills, and experience.”
FedRAMP would like to be more specific with the requirements for training and likely will specify the hours of training or particular technical certifications that 3PAO personnel must complete or maintain in a given year.
Other changes are also likely.
“In the long run, the changes will be very beneficial to the longevity of the program,” Kamauf said.