The Federal Risk and Authorization Management Program is requiring third party assessment organization personnel, including senior and junior assessors and penetration testers, to comply with the specific requirements set by the American Association for Laboratory Accreditation.
Starting on Oct. 1, FedRAMP and A2LA will review assessment reports to ensure that accredited 3PAO personnel are competent and qualified to evaluate documents from cloud service providers, FedRAMP said Thursday.
Personnel qualification requirements under the R311 policy cover training, years of experience, certification qualifications and technical proficiency activities.
FedRAMP noted that a 3PAO with a team consisting of both qualified and unqualified personnel will not be permitted to perform inspections of CSP documents.