Industry Update: Cloud Service Providers – Which 3PAO is for you?

by Tom McAndrew, Coalfire’s FedRAMP Technical Manager

As part of its “cloud first” policy established in 2010, the U.S. government has formalized a set of regulations that Cloud Service Providers (CSP) must meet in order to do business with federal government agencies. This initiative, called FedRAMP, is expected to save taxpayers an estimated $1.7 billion in infrastructure costs.  Coalfire believes that more than $5 billion of services will shift to federal cloud providers over the next 24 months and hundreds of federal projects are already underway. 

The Federal Risk and Authorization Management Program (FedRAMP) ensures secure cloud computing for the federal government.  It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. 

It’s a “do once, use many times” program that provides a common structure for assessing and sharing security results in the federal government. CSPs must be independently certified by an accredited Third Party Assessment Organization (3PAO) as part of FedRAMP. This will allow CSPs to receive a provisional authority to operate (ATO) that can be leveraged by all federal agencies. The provisional ATO is issued by the FedRAMP Joint Authorization Board (JAB).  The JAB is comprised of representatives from a variety of critical federal agencies including the GSA, DoD, DHS, and NIST.

FedRAMP assessments are built from the requirements outlined by the Federal Information Systems Management Act (FISMA) and the NIST 800-53r3 controls. You can find out more about the differences between FISMA and FedRAMP (PDF) assessments from our perspective. The FedRAMP assessment process covers four main steps, each requiring JAB approval prior to moving on to the next step.

CSPs must use a FedRAMP-accredited third party assessor organization (3PAO) to independently assess the CSP against the FedRAMP requirements. The decision regarding which 3PAO to use is entirely up to the CSP and they are required to manage and facilitate their own relationship with the 3PAO.

Once a CSP engages a 3PAO, involved parties should contact their assigned government Information System Security Officer (ISSO) with any questions about 3PAO roles and responsibilities. The CSP should not put restraints or conditions on a 3PAO’s desire to communicate with the assigned government ISSO. 3PAOs must use FedRAMP templates and guidance when performing security assessments. After 3PAOs complete their security assessment and have prepared the required deliverables, it is important that the 3PAO remain available for follow-up communications with the government ISSO and the FedRAMP PMO. When selecting a 3PAO, CSPs should discuss this with the candidate 3PAO and consider their availability for follow-up communications after the security assessment package is submitted.

Coalfire is one of the 10 accredited 3PAO firms, but keep in mind that there’s an important difference between these organizations. Coalfire is the only 3PAO firm authorized to conduct cloud assessments for the federal government (3PAO), for the healthcare industry (HITRUST certified), and for the Payment Card Industry (Qualified Security Assessor).  With more than 30 cloud engagements in progress today, we have industry experience second to none.  Backed by years of experience in working with public, private, hybrid and government clouds for FISMA, PCI, GLBA and HIPAA/HITECH compliance assessments, our unique experience makes us a valuable partner for helping clients work through the FedRAMP process towards receiving an ATO with government agencies.  Coalfire guides our clients and their FedRAMP-appointed ISSO through the process, taking into account unique considerations that cloud and virtualization environments bring to the table.

Receiving the accreditation of 3PAO means that Coalfire will be able to validate the security and control implementations that CSPs must provide in order to work with, and provide cloud services to, federal agencies. 3PAOs are critical to the FedRAMP program, as they demonstrate the independence and competency of CSPs that host government’s most crucial data.  As an authorized 3PAO, Coalfire can also help with providing advisory services or assessment services.  However, to ensure our independence as a 3PAO, Coalfire can provide advisory or assessment, but not both to the same organization.

Advisory:  As an advisor, we can assist CSPs and federal agencies with understanding the requirements, impacts to their business/agencies, and best-practice approaches to getting FedRAMP certified or leveraging FedRAMP approved CSPs.   We have supported agencies and ISSOs/ISSMs with understanding the options and risks of moving to the cloud.  We have also supported cloud providers interested in understanding the FedRAMP process and potential services they may offer.

Assessment:  For CSPs interested in becoming an approved FedRAMP provider, Coalfire can conduct an independent assessment for submission as an approved CSP.  This can include the technical testing such as penetration testing, vulnerability scanning, and configuration reviews.  There is also a requirement for continuous monitoring that Coalfire can support to ensure controls continue to be in place after the assessment.

FedRAMP implementation began earlier this month and will be done in phases – starting with 3PAOs assessing CSPs. Coalfire has already begun preparing agencies and cloud service providers for testing. The wave of activity is large and growing and includes assessments and penetration tests with interested CSPs this month. Inquiries for FedRAMP services can be made at

For those interested in learning more about the FedRAMP certification process, Coalfire has a free streaming webinar on the topic. Click here to start watching.