Search Knowledge Base by Keyword
3PAO
What’s a 3PAO?
What’s a 3PAO? A Third Party Assessment Organization (3PAO) is an independent company that assesses the security of cloud services. These organizations are a key part of the Federal Risk and Authorization Management Program (FedRAMP).
What do 3PAOs do?
- Perform initial and periodic assessments of cloud systems
- Produce reports that include a Readiness Assessment Report (RAR), Security Assessment Plan (SAP), and Security Assessment Report (SAR)
- Provide the federal government with independent assessments that help inform authorization decisions
How are these organizations qualified?
- Must meet specific qualifications, including passing a proficiency exercise and completing Continuing Professional Education (CPE)
- Must be accredited to ISO/IEC 17020
- Must demonstrate technical competence and FedRAMP knowledge
How to find Third Party Assessment Organizations?
- You can find a list of FedRAMP recognized 3PAOs on the FedRAMP Marketplace.
- The FedRAMP PMO can provide support or answer questions.
3PAO assessments
- Include compliance and vulnerability scanning, penetration testing, and report generation
