Selecting a 3PAO

To obtain a FedRAMP Provisional Authorization, CSPs must engage a FedRAMP-accredited Third Party Assessment Organization (3PAO) for testing their security controls. The decision regarding which 3PAO to use is entirely up to the CSP. FedRAMP does not make introductions between the CSPs and 3PAOs and does not endorse any one 3PAO over another. It is up to the CSP to manage and facilitate their own relationship with the 3PAO.

The CSP must pay for the services of the 3PAO. The FedRAMP Program does not pay for 3PAO services and does not make pricing recommendations on 3PAO services. CSPs may want to obtain pricing information from multiple 3PAOs before making a selection and should contact 3PAOs directly for this information.

The purpose of engaging the 3PAO is to have the 3PAO perform an independent security assessment of the CSP developed system that is a candidate for a FedRAMP Provisional Authorization. In order to satisfy the FedRAMP annual security assessment requirement, CSPs can continue to use the 3PAO that they used for the initial assessment, or can alternatively select a different 3PAO for the annual security assessment.

3PAOs use FedRAMP templates and guidance when performing security assessments. After 3PAOs complete their security assessment and have prepared the required deliverables, it is important that the 3PAO remain available for follow-up communications with the government ISSO and the FedRAMP PMO. When selecting a 3PAO, CSPs should discuss this with the candidate 3PAO and consider their availability for follow-up communications after the security assessment package is submitted.

Once a CSP engages a 3PAO, involved parties should contact their assigned government ISSO with any questions about 3PAO roles & responsibilities. The CSP should not put any restraints or conditions on a 3PAO’s desire to communicate with the assigned government ISSO.