Advisory Firms Can Seek Accreditation as a StateRAMP 3PAO
As of this writing, 34 companies provide 3PAO services for cloud service providers seeking StateRAMP certification.
To become a 3PAO, a consulting or advisory firm must seek certification from the American Association of Laboratory Accreditation (A2LA) in the qualifications for ISO/IEC 17020:2012, “Conformity assessment: Requirements for the operation of various types of bodies performing inspection,” and must hold assessment approval for FedRAMP.
A2LA recognizes accreditation for inspection as a distinct discipline that involves competence in the examination of materials, products and more. A2LA has established a specific certification program for FedRAMP, and it requires a “rigorous evaluation of the technical competence” of a 3PAO and the organization’s compliance with standards. 3PAOs seeking accreditation for FedRAMP (and thus StateRAMP) must spend a year in the A2LA Cybersecurity Inspection Body Program to demonstrate this technical competence.
Any cloud service provider that would like clearance from StateRAMP must in turn receive assessment by a 3PAO. The vendor pays for the 3PAO assessment.
Major IT Vendors Cleared on StateRAMP Approved Product List
Many CDW partners are on the StateRAMP Authorized Product List. Cloud service providers receive specific approval for each offering. In August, the authorized product list included 28 fully approved products from companies such as these and others:
- Microsoft for Azure and Dynamics
- Okta for Identity as a Service
- Zoom for Zoom for Government
- Zscaler for Zscaler Private Access and Internet Access
Approved products are designated as “Ready” by StateRAMP.
StateRAMP also specifies a “progressing” product list of companies engaged in a 3PAO audit. “The progressing statuses include ‘Active,’ ‘In Process’ and ‘Pending,’” according to StateRAMP. “‘Active’ products are working toward ‘Ready’; ‘In Process’ products are working toward ‘Authorized’; ‘Pending’ products are currently being reviewed by the StateRAMP Program Management Office and are awaiting a determination for a verified status.”
This list includes these CDW vendor partners and others:
- Cisco Systems for Cisco Secure Workload, Cisco Webex and more
- Microsoft for Microsoft Office 365
- SkyHigh Security for MVISION Cloud and MVISION for Endpoint
- VMware for VMC on AWS Cloud and Workspace ONE
States Eye RAMP Approval as Condition of Contract Competition
Advisory firms can leverage their third-party security assessment expertise to assist vendors with gaining StateRAMP approval. Although most states do not yet require StateRAMP approval, many are signing on to the program. Some, like Texas and Arizona, are in the process of requiring either their own internal RAMP approval or StateRAMP approval for cloud service providers prior to competing for a government contract.
CDW•G provides third-party security assessments as a nonaccredited 3PAO. Vendors can turn to CDW•G for an initial assessment, which then may be validated by a StateRAMP-approved 3PAO.
Many third-party assessment organizations can conduct an array of functions for cloud service providers, including gap analysis, consulting services, compliance workshops, strategy sessions and more.
Qualified StateRAMP vendors must return to an approved 3PAO annually for a security assessment of its products and to review any significant changes to its systems and offerings.