The Federal Risk and Authorization Management Program has unveiled a course introducing third-party assessment organizations to obligations and performance standards in the American Association for Laboratory Accreditation R311 policy.
FedRAMP said Tuesday the training course outlines the scope of a 3PAO’s roles and responsibilities related to the assessment of commercial cloud offerings and the process for qualifying an independent assessment organization as a FedRAMP-recognized 3PAO.
3PAO personnel must complete the first mandatory course within 60 days of the training announcement and maintain copies of the certificates in their training records for the A2LA assessment.
In late July, FedRAMP announced that A2LA will review assessment reports to ensure that accredited 3PAO personnel are competent and qualified to evaluate documents from cloud service providers starting on Oct. 1.
The remaining seven courses in the training curriculum will focus on readiness assessment report guidance, security assessment plan guidance, security assessment report guidance, documenting evidence procedures, 3PAO vulnerability scanning methodology and documentation, review of SAR tables and assessment of penetration testing guidance.