A critical part of the government’s cloud security program mandates that companies hire a third-party entity to vet their cloud services.
Until now, the General Services Administration and the National Institute of Standards and Technology have approved those third-party assessment organizations, or 3PAOs. But GSA announced Tuesday that will change.
GSA has selected the nonprofit organization American Association for Laboratory Accreditation to review applications for 3PAOs. Using a privatized board to accredit 3PAOs “will allow for more in-depth analysis” of applicants and make the overall process more rigorous, GSA said in a news release.
So far, 22 companies have been named 3PAOs, and they’re selected to ensure cloud products and services meet Federal Risk and Authorization Management Program (FedRAMP) standards. Cloud vendors must first hire an approved 3PAO to review and validate their compliance with minimum security standards.
The FedRAMP program office, housed at GSA, will make the final decision to approve third-party organizations. “The government also retains the right to reinstitute a government review board without any interruption in accreditation for 3PAOs,” GSA said in a news release.
Moving accreditation work to a privatized board has long been a planned milestone under the government’s cloud security program, FedRAMP.
“The selection of A2LA (American Association for Laboratory Accreditation) to handle the 3PAO reviews is a significant milestone as we grow FedRAMP in partnership with industry and government cloud stakeholders” Dave McClure, associate administrator of GSA’s Office of Citizen Services and Innovative Technologies, said in a statement. “A2LA’s involvement, with continued government oversight, improves the resources and rigor of our review process, further strengthening FedRAMP.”
GSA said the 3PAO application process will reopen later this year, but the agency has not said how long current 3PAOs will have to comply with any new accreditation standards.