A2LA

A Better World Through Accreditation

Home » Accreditations » FedRAMP Third-Party Assessment Organizations (3PAO)

About FedRAMP & Third-Party Assessment Organizations (3PAO)

A2LA offers accreditation of Third-Party Assessment Organizations (3PAOs) as part of the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. Under the Security Assessment Framework, 3PAOs are required to be accredited by A2LA in order to be recognized by FedRAMP. The A2LA assessment process involves a rigorous evaluation of the technical competence of the 3PAOs and their compliance with ISO/IEC 17020.

An organization that wishes to become an accredited FedRAMP 3PAO must spend at least a year in the Cybersecurity Inspection Body Program in order to demonstrate a level of technical competence prior to consideration for FedRAMP 3PAO recognition. The additional requirements for FedRAMP 3PAO recognition are available upon request.

The list of FedRAMP recognized 3PAOs can be found on the FedRAMP Marketplace. This specialty program is covered under the A2LA Inspection Body Accreditation Program. Get a Quote to see how you can get your organization accredited with A2LA.

FedRAMP 3PAO Program Requirements

  • ISO/IEC 17020 Requirements for the Operation of Various Types of Bodies Performing Inspection
  • ILAC P15 – Application of ISO/IEC 17020 for the Accreditation of Inspection Bodies
  • R311 – Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP)
  • Information on the FedRAMP process for recognizing cloud services providers may be found on the FedRAMP website.

In partnership with FedRAMP, A2LA works exclusively with BCR Cyber (formerly Baltimore Cyber Range) to provide technical proficiency testing for third party assessment organizations (3PAOs). The BCR Cyber FedRAMP exercise “is a real-time assessment of a simulated cloud environment. Participating teams are provided four hours to review an abbreviated system security plan and assess a subset of 20 security controls for system implementation and configuration non-compliance issues using the examine, test, and interview assessment methods.” A2LA conveniently manages this testing for our customers, streamlining the entire process.