Agenda
- Select members to share their experiences with 3PAOs
- Andrew Ledford, DataBricks
- Tim Anderson, ID.me
- Alex Smolen, LaunchDarkly
Notable Points
- Our name is changing from âFedRAMP Advisory Boardâ to âFederal Cloud Advisory Boardâ to avoid copyright violations and at the request of GSA
- Brian Conrad is schedule to speak to the group on June 26th. More details to follow.
- Looking for volunteers to participate in the roundtable discussion
3PAOs Discussion
The meeting today centered largely around 3PAOs.
Notable Challenges
Big names donât equate to quality
Some of the largest 3PAOs seem to be decreasing in overall quality. This is irrespective of budget. One member shared an experience where they had âunlimited budgetâ for their 3PAO and still received poor quality to the point of needing to terminate the contract.
The bottom line, is that CSPs need to do proper due diligence when assessing 3PAOs. More on that in the âStrategiesâ section below.
Bait and Switch + 3PAO Employee turnover
Many 3PAOs, especially the larger ones, seem to be experiencing substantial talent drain and this has had a large impact on 3PAO work quality.
In a likely related trend, 3PAOs often present their A-team during the sales cycle but then provide a team of materially lower quality once the project kicks off. This leads to substantial cost to the CSPs as they have to deal with poor and often times faulty advice.
Public cloud competence
Broadly speaking, most 3PAOs seem to have a varied knowledge of public cloud as it pertains to nuances in a FedRAMP context. Knowledge seems mostly centered around AWS, then some with Azure, and minimally with Google Cloud.
Furthermore, there is generally a lack of understanding across 3PAOs with regard to public cloud and compliance as it pertains to cryptography and FIPS compliance.
Leveraging advisory services
When considering using the advisory services of a 3PAO itâs prudent to consider the breadth at which you would desire to use them. For instance, if all you only need âone thingâ then it likely doesnât make sense from an cost optimization perspective. However, if you will also be using them for ConMon, annual assessments, etc, then the cost makes more sense.
Advisory service providers that go beyond the scope of FedRAMP should be considered in the same light. In other words, is it likely that your organization will sustain a very long term relationship with that firm, or not?
When receiving advisory for multiple compliance bodies (FedRAMP, ISO, SOC2, etc), itâs also important to ensure that they are all leveraging the same artifact request workflows so that evidence doesnât need to be requested multiple times.
Cost optimizing audits when you have a distinct FedRAMP environment
One approach suggested by the group was to try to combine audits as it provides substantial cost savings. However, this approach becomes less attractive if you have a completely distinct government/FedRAMP environment since.
Strategies
3PAO Accountability
- Interview the 3PAO team Insist on being able to fully interview the team that the 3PAO intends to assign to your project. Imagine that you are hiring FTEs for your organization and interview them in similar fashion. Itâs important to ask about how they understand certain abstractions within a FedRAMP context such as containers/k8s, serverless, multi-cloud, etc.
- Require accountability contract clauses Contracts with 3PAOs should include (but not limited to)
- Specificity on what are grounds for contract termination
- Weekly status reports
- Escalation paths for evidence collection
- Rules around swapping out consultants (eg interviewing, refusal, etc)
Require the use of your organizationâs tracking system
Do not let the 3PAO dictate that you need to use their own tracking system for uploading artifacts, monitoring progress, etc. They should accomodate your workflows, not the other way around.
Anticipate âsignificant changesâ from a contract and budget standpoint
If your companyâs product roadmap includes recurring changes that would constitute a âsignificant changeâ under FedRAMP then itâs advised to have a separate but complimentary single-year T&M (or FFP) contract with your 3PAO to address significant changes on an adhoc basis
Volunteer to go deeper with auditors as mitigation to PMO meeting risk
If you have a nuanced architecture or data flow, itâs recommended that you go out of your way to go as deep as necessary with your auditors until you feel like theyâll be able to properly tell the story of your environment to the PMO.