StateRAMP, like FedRAMP, is a complex process geared towards helping Cloud Service Providers (CSPs) serve important government agencies. To ensure that these CSPs are up to date on the latest and strongest security and risk management tools and procedures, both FedRAMP and StateRAMP require CSPs to work with an independent party, called a 3PAO. 

If you’re just getting started as a CSP in the government space, or you’re a security firm interested in learning more about what it takes to be a 3PAO, then you’ll want to know more about the role of a 3PAO in these security frameworks.

What is a Third-Party Assessment Organization?

A StateRAMP Third-Party Assessment Organization (3PAO) is a professional organization that partners with businesses that are ready to pursue StateRAMP certification. These organizations provide an independent assessment of a business’s ability to undergo StateRAMP certification and their continued application and maintenance of compliance standards. 

3PAOs provide a critical part of StateRAMP assessment, namely providing an independent approach to assessing a company that isn’t compromised by professional relationships to either state organizations or cloud businesses. As such, 3PAOs have several obligations to their partners and the StateRAMP governing body.

A 3PAO must:

1. Remain independent from any CSP or related technical provider that they assess.
2. Exist as a Type A (third-party independent) or Type C (internal and self-inspecting) Inspection Body exclusively.
3. Perform accurate, fair, and high-quality security inspections of their partner CSPs.
4. Gain and maintain knowledge of current relevant StateRAMP regulations.
5. Perform internal continuing training and education to cover relevant security guidelines pertaining to StateRAMP.

When a company can demonstrate these requirements, they can be certified as a StateRAMP 3PAO. 

Why is a 3PAO Necessary for StateRAMP Certification?

Every step of the StateRAMP process requires the 3PAO to ensure impartial assessment of the CSP in question while guaranteeing that the process moves forward properly.

Key areas of the StateRAMP certification process include:

1. Documentation: The 3PAO helps the CSP by first determining what level of security controls an organization must have in place for StateRAMP authorization. These levels are determined by the kinds of data that the CSP will manage: Low, Moderate, and High Impact. State agencies are rarely in the High Impact category, so controls typically fall under Low, Medium, or a combination of the two.
2.  Authorization and readiness: When a CSP begins the StateRAMP process, they must undergo a readiness assessment to determine if they are even capable of the undertaking. The 3PAO helps the organization by creating a StateRAMP Readiness Assessment Report (SR-RAR) to demonstrate to StateRAMP that the CSP is ready for assessment.
3. StateRAMP Ready and preparation: Once the CSP has been designated as “ready”, the 3PAO then helps prepare a Security Assessment Plan (SR-SAP). The SAP is the result of a general risk and security assessment of the CSP by the 3PAO and outlines the testing steps and schedule it will use to assess StateRAMP compliance.
4. Assessment: The 3PAO performs the tests of the CSPs systems to determine if they meet the requirements of StateRAMP for the security level outlined by their intended partnership. This testing would include an audit of reporting and logging capabilities, determining security measures in place, and different levels of penetration testing. These tests follow the SAP. 
5. Authorization: The 3PAO is responsible for taking the results of the test and reporting to StateRAMP in an official document called the StateRAMP Security Assessment Report (SR-SAR). This report highlights successful tests and any changes, updates, or additions the CSP must make to address vulnerabilities.
6.  Continued Maintenance: 3PAOs work with CSPs to continue reporting and maintenance to ensure that they meet current requirements and have plans in place to do so. 

As is obvious from this section, the 3PAO is not only necessary to the process but an important asset for CSPs who aren’t familiar with the process. A solid and expert 3PAO can help a CSP with little or no experience in security compliance or StateRAMP work through the system successfully. 

How Do I Find the Right 3PAO?

Certified 3PAOs have to demonstrate to StateRAMP that they have the requisite knowledge, experience, and capacity to audit and assist CSPs throughout the process. Fortunately, CSPs aren’t left to their own devices in finding a partner. 

The StateRAMP website actually includes a database of 3PAOs, including contact information, websites, and assesses solutions. CSPs looking into a 3PAO can use this resource to find a local vendor who can support them.  

Finding the right 3PAO will call upon several unique aspects of your needs, including regional considerations, industry requirements, the state agency partner you plan on working with, and so on. 

How Does My Organization Become a 3PAO?

The requirements for a StateRAMP 3PAO are identical to those of a FedRAMP 3PAO, and StateRAMP uses FedRAMP requirements to determine fitness for StateRAMP auditing. 

These requirements include:

1. A 3PAO must be able to accommodate assessments by the StateRAMP Program Management Office upon request.
   
2. All 3PAO personnel working within StateRAMP must attest to their knowledge and proficiency of critical StateRAMP requirements, including the NIST Risk Management Framework, NIST 800-53 security controls and StateRAMP requirements (among others, see below). 3PAO candidates will be assessed on their knowledge of these documents.
   
3. 3PAOs must be accredited by the StateRAMP PMO. The American Association for Laboratory Accreditation (A2LA) will provide evidence regarding the expertise, proficiency and capabilities of the potential 3PAO, and the PMO will make the final decision.
   
4. The StateRAMP PMO must sign off on the final authorization.

StateRAMP 3PAOs must have a demonstrable understanding of the core frameworks used in FedRAMP certification (NIST 800-53 and Risk Assessment Framework) among other security documents and frameworks, including:

• The NIST Definition of Cloud Computing (NIST 800-145)
• Computer Security Incident Handling Guide (NIST 800-61 Rev 2)
• Contingency Planning Guide for Federal Information Systems (NIST 800-34 Rev 1)
• Guide for Assessing the Security Controls in Federal Information Systems (NIST 800-53A Rev4)
• Guide for Developing Security Plans for Federal Information Systems (NIST 800-37 Rev 2)
• Guide for Mapping Types of Information and Information Systems to Security Categories (NIST 800-60 Rev 1)

And others (see more). 

Conclusion

A cloud service provider cannot receive a StateRAMP certification without working with a 3PAO. Rather than treat this as a formality, consider it as an opportunity to partner with a security expert that can not only help your CSP with compliance but support your data security and reporting efforts organization-wide. 

Are you a cloud service provider ready to move into government work? Getting prepared for FedRAMP or StateRAMP certification? Lazarus Alliance is a registered 3PAO for FedRAMP and StateRAMP clients who can help streamline and automate your compliance process. To learn more, please call us at 1-888-896-7580 or contact us through the form below.