A2LA

A Better World Through Accreditation

Home » Press Releases » Updated R311 FedRAMP Requirements Released

by

Due to the recent release of the updated FedRAMP R311 requirements document, we have been tasked with ensuring all accredited 3PAOs are now meeting the updated requirements. This will primarily occur through upcoming A2LA renewal assessments.

New R311 FedRAMP Requirement Highlights

These requirements are in effect immediately and will be assessed as such during your next assessment. We would like to highlight a few of the changes below but encourage you to review the document in its entirety.

  • We are moving from Word documents to electronic forms for the A2LA F337 – After Action Report for 3PAOs and A2LA F338 – CSP Evaluation Form. Please utilize the links here or in the R311 for all assessments moving forward. The Word documents (F337/F338) are now obsolete.
  • Per the FedRAMP Authorization Act, we are now collecting information on your organization’s foreign ownership, control, or influence (FOCI) annually when your A2LA assessment is generated. This will be done utilizing the FedRAMP 3PAO FOCI Declaration Form and any changes to your status must be reported within 48 hours following the change.
  • Additional certifications were added to the approved list for penetration testers. Please review the document closely for these updates.
  • Clarified the type of assessments (FedRAMP Readiness, initial authorization, and annual assessments) where the staffing requirements are applicable. Additionally, clarification was provided on the type of assessments (FedRAMP Readiness and LI-SaaS initial authorization/annual assessment) that require two rather than three personnel on the assessment team.
  • A requirement was added regarding a 3PAO being revoked by FedRAMP twice resulting in them no longer being eligible to return to the program.

A2LA and the FedRAMP PMO will be co-hosting a listening session on September 21 where an additional overview of these changes will be provided.

Have Questions about the Updated FedRAMP Requirements?

Questions about the updated requirements may be directed to A2LA Cybersecurity Program Manager, Ashley Kamauf, at akamauf@A2LA.org and programmatic FedRAMP questions may be directed to the FedRAMP Program Manager, John Hamilton, at info@FedRAMP.gov.