When to Engage a FedRAMP Consultant vs. When to Engage a 3PAO
Originally published by Schellman here.
Written by Andy Rogers, Schellman.
“I have a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a very well-equipped advisor/assessor for your FedRAMP boundary.”
If you’ve seen the film Taken, you’ll know that’s not exactly how that iconic line went.
But when it comes to the Federal Risk Assessment Management Program (FedRAMP), you might not need Liam Neeson’s retired CIA agent skills literally, but you might instead appreciate having someone just as highly trained to work with you throughout your process.
Maybe you’re already in the process of building your FedRAMP boundary on your own, or you’re contemplating hiring a consultant or Third-Party Assessment Organization (3PAO) to help you out with the compliance process.
But FedRAMP is complex and there are so many entities involved and potentially involved that it can be hard to pinpoint what kind of help you need at which moment and who can give it to you.
Don’t worry for much longer, because you’ve landed on the right article—we’re going to clarify when organizations seeking FedRAMP Authority to Operate (ATO) should engage a consultant and when you should engage your 3PAO.
Read on to fully understand when you might engage a 3PAO and what separates 3PAOs from consultant firms.
The Difference Between a FedRAMP Consultant and a 3PAO
If you’ve decided to take the FedRAMP plunge, maybe you already have several certifications or attestations under your belt to this point. Maybe you did all those without the assistance of a consultant so you’re wondering if you really do need a FedRAMP advisor. You’ve already got a rockstar staff of IT and security professionals squaring away your security program, so why bring in anyone?
Because FedRAMP is a little different than your average certification or attestation. Federal data is highly sensitive and as such, getting authority to handle it can be particularly difficult. Much depends on your agency sponsor or your experience getting Joint Advisory Board (JAB) approval, but either way, you’re likely to have a very difficult road ahead of you.
Because FedRAMP Authorizations are this difficult, you will need a “particular set of skills.” But consultants and 3PAOs have their own, so here’s the difference by definition:
Consultant: Advises you on how to build the security FedRAMP requires. They help elevate the infrastructure supporting your environment to ensure that the road to your Authorization to Operate (ATO) is a smooth one. A couple of things you should know:
- Your consultant is not required to receive an ATO.
3PAO: Engages with you after your system and security program have matured and are ready to go through a security assessment.
- If a consultant is theoretically “optional,” then a 3PAO is not—they are an absolute requirement. They assess your environment for FedRAMP worthiness and must answer to any control descriptions, findings, observations, and examinations they have assessed.
After your experience with both a consultant and a 3PAO, your FedRAMP package will be submitted to FedRAMP Program Management Office (PMO) or the JAB for the final validation and sponsor blessing for ATO.
Can a Consultant Also Be a 3PAO?
In fact, in many cases, an auditing firm can be both a consultant and 3PAO. Many consultants also perform assessments, effectively covering “both sides of the fence” where FedRAMP is concerned.
What’s more important for you to understand is that your consultant cannot also perform your assessment, as FedRAMP requires your assessor to be independent of the consultant.
Let’s be clear again: your consultant is optional—though highly recommended—while the 3PAO is not. You must, to receive a FedRAMP ATO go through a security assessment by a 3PAO and the 3PAO must be a designated 3PAO by FedRAMP and accredited by the American Association for Laboratory Associates (A2LA).
When Should You Engage Your FedRAMP Consultant?
Now that we’ve addressed the differences, let’s talk about when to engage your consultant.
The best recommendation is to do so early in the process. But you’ll need to do your homework—their team needs to be competent. It pays to do your homework and to help you do yours, read our article on what to ask prospective consultants as you vet them.
The firm you do choose to work with should know the pitfalls that need to be addressed before your assessment, particularly the ones we assessors call “show stoppers” that will derail your process. But at the end of the day, how early you choose to get them on board is really up to you.
But even if the final decision is yours, we estimate it’s best if you bring in a consultant before you build your infrastructure:
- It’s much easier to build security into your IaaS, PaaS, or SaaS solution rather than trying to build security around an insecure environment.
- Again, if your consultant is a good one, they’ll know those “show stoppers” that could come up in the process—bringing them in during the build-out would let you implement solutions before they become even a semblance of a problem.
It’s also best to bring in a consultant to help with as much of the documentation as possible. From an assessor’s perspective, it’s easy to see a consultant’s impact on an organization’s system security plan (SSP):
- A FedRAMP SSP can be a monster of a document with 700+ pages—it’s meant to evidence everything from the security of physical data centers to the cryptography you’re using to secure workloads.
- It is no small task to write one of these, but a consultant can provide a concise yet descriptive SSP regarding the implementation of the controls that were put in place with their expert guidance.
Between building your infrastructure security provisions to documenting everything well, clearly consultants do have a “particular set of skills” that are arguably a necessity to yield a successful assessment of your environment.
Once they’ve simplified the creation of your FedRAMP boundary and you’ve got all that done, it’s time to select your 3PAO.
When to Engage Your FedRAMP 3PAO
If your consultant gave you lots of great advice at the beginning, your 3PAO is the sort of coup de grâce in the FedRAMP process. They will come and test all that time, money, effort, and expertise you have so painstakingly invested. You should only engage with an assessor once you’re confident in your controls and documentation.
And just like you need to be choosy with your consultant, the same goes for your 3PAO. The FedRAMP Marketplace can help you get started with the full list of approved assessors.
Things to consider when selecting your 3PAO:
- Remember, as we mentioned before, they need to be independent. If your 3PAO was found to have partiality toward you because they also acted to get you ready (or for any other reason), it could jeopardize your ATO.
- The last thing you want is a 3PAO that doesn’t assess thoroughly to hold you up in the FedRAMP process. At the end of the day, it isn’t your 3PAO or your consultant that hands you that ATO--it’s the FedRAMP PMO in combination with your Federal agency or the JAB. But they can only do that if they have enough from your assessor.
Next Steps for Your FedRAMP ATO
FedRAMP consultants and assessors are each a version of Liam Neeson’s iconic character in Taken—both have a “particular set of skills” that can be very helpful. Of course, depending on your staff’s familiarity level with the FedRAMP process, the FedRAMP PMO, and the JAB, a FedRAMP consultant might not be necessary for you.
But an assessor will be. Regardless, it’s just a matter of when to take advantage of each, and now you understand when to do that. For even more insight into this very complex FedRAMP process, check out our other content that answers several important questions regarding federal compliance:
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.