Independent assessors perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements. Once engaged with a CSP, independent assessors:
- Complete a Security Assessment Plan (SAP)
- Perform initial and period assessments of cloud system security controls
- Conduct security tests and produce Secure Assessment Reports (SARs)
CSPs wanting to meet FedRAMP requirements through the JAB P-ATO path or CSP submitted path must be assessed by an accredited independent assessor, known as FedRAMP Third Party Assessment Organizations (3PAOs).
Quzara is not a 3PAO, but we help clients prepare for testing, and have a success engagement. We find in many instances the CSP and 3PAO get locked in debate around residual risk and path to remediation resulting on costly diversions in resources and timeline. Quzara can help mediate and provide expertise to mitigate such risks.
A full list of our services in this areas are:
- Perform Readiness Review before formal 3PAO assessment
- Update System Security Plan and other FedRAMP Package artifacts based on FedRAMP JAB/PMO and Agency feedback to address documentation issues.
- POA&M management
- Issue Management
- Communication and Project Coordination with 3PAO and FedRAMP JAB/PMO
- Project manage timeline, plan and closure of exceptions between CSP and FedRAMP or Agency
- Risk Determination and Acceptance Advisory services.