CSP and 3PAO Roles and Responsibilities
We wanted to share some high-level guidance for CSPs and 3PAOs we created with the JAB teams to provide insight into the different roles and responsibilities for 3PAOs and CSPs in our authorization process. These roles and responsibilities were created and refined over the last year as we refined the JAB’s authorization process through FedRAMP Accelerated.
The CSP’s role (189 kb PDF, 1 page) in the JAB authorization process is to ensure their service offering meets the NIST/FedRAMP requirements through the implementation and documentation of security controls. The primary document the CSP is responsible for is the System Security Plan (SSP). Throughout the process, CSPs work with their 3PAO on the testing and discovery for the Readiness Assessment, Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M). They then share this information, address questions, and make updates throughout the JAB review process.
The 3PAO’s role (170 kb PDF, 1 page) in the process is to provide overall discovery, testing, and validation of the CSP’s service offering through the Readiness Assessment, SAP, SAR, and POA&M. They present their findings to the PMO and JAB during the FedRAMP Ready conversation and the JAB Kick-Off meeting. Throughout the process, they answer the JAB’s questions and perform update testing and documentation based on any gaps identified in the CSP’s service offering.
We hope that Agencies can also leverage this structure when planning their own FedRAMP authorizations and determining how they want to work with CSPs and independent assessors.
For more details, check out our CSP and 3PAO roles and responsibilities one-pagers here.