The FedRAMP Program Management Office (PMO) recapped its efforts to gather feedback from Third Party Assessment Organizations (3PAOs) in a new blog post.
FedRAMP noted that late last month it held a virtual summit, 3PAO Interact, to bring together FedRAMP recognized 3PAOs to share information and allow FedRAMP to gather feedback about the program. “3PAOs play a critical role for FedRAMP by ensuring cloud systems meet FedRAMP security requirements as part of a Cloud Service Provider’s (CSPs) FedRAMP authorization,” FedRAMP said in the blog post.
As part of the summit, the PMO hosted presentations, panels, listening sessions, and training to provide a learning opportunity for 3PAO stakeholders to engage with FedRAMP. In addition to the larger events, FedRAMP looked to gather more granular feedback. In the blog post, FedRAMP notes that it held small group discussions to hear from 3PAOs on what’s working well and what could be improved in certain areas of the program. Specifically, FedRAMP said it sourced feedback on readiness assessments, technical guidance, and authorization boundary and data flow diagrams.
FedRAMP said that the feedback it received from the more than 100 participants from more than 30 organizations was “overwhelmingly positive.” It noted that there was a demand for more events throughout the year. In response, FedRAMP pledged to hold more events and trainings in 2021, though it did not announce any specific events.
The FedRAMP PMO further stressed its commitment to supporting all its stakeholders. With that in mind, FedRAMP is in the process of updating its materials to align with the National Institute of Standards and Technology’s (NIST) latest update to SP 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5. This process will likely last into 2021 – and may be the topic of a future event – as FedRAMP has said that the NIST update is an entire renovation of the SP to address structural issues and technical content. That said, NIST said the update “will provide a solid foundation for protecting organizations and systems – including personal privacy of individuals – well into the 21st century.” FedRAMP said it relies on NIST’s guidelines and procedures to provide standardized security requirements for cloud services.