❄️

5/30 FAB Community Call

Agenda

  • Select members to share their experiences with 3PAOs
    • Andrew Ledford, DataBricks
    • Tim Anderson, ID.me
    • Alex Smolen, LaunchDarkly

Notable Points

  • Our name is changing from “FedRAMP Advisory Board” to “Federal Cloud Advisory Board” to avoid copyright violations and at the request of GSA
  • Brian Conrad is schedule to speak to the group on June 26th. More details to follow.
    • Looking for volunteers to participate in the roundtable discussion

3PAOs Discussion

The meeting today centered largely around 3PAOs.

Notable Challenges

Big names don’t equate to quality

Some of the largest 3PAOs seem to be decreasing in overall quality. This is irrespective of budget. One member shared an experience where they had ‘unlimited budget’ for their 3PAO and still received poor quality to the point of needing to terminate the contract.
The bottom line, is that CSPs need to do proper due diligence when assessing 3PAOs. More on that in the “Strategies” section below.

Bait and Switch + 3PAO Employee turnover

Many 3PAOs, especially the larger ones, seem to be experiencing substantial talent drain and this has had a large impact on 3PAO work quality.
In a likely related trend, 3PAOs often present their A-team during the sales cycle but then provide a team of materially lower quality once the project kicks off. This leads to substantial cost to the CSPs as they have to deal with poor and often times faulty advice.

Public cloud competence

Broadly speaking, most 3PAOs seem to have a varied knowledge of public cloud as it pertains to nuances in a FedRAMP context. Knowledge seems mostly centered around AWS, then some with Azure, and minimally with Google Cloud.
Furthermore, there is generally a lack of understanding across 3PAOs with regard to public cloud and compliance as it pertains to cryptography and FIPS compliance.

Leveraging advisory services

When considering using the advisory services of a 3PAO it’s prudent to consider the breadth at which you would desire to use them. For instance, if all you only need ‘one thing’ then it likely doesn’t make sense from an cost optimization perspective. However, if you will also be using them for ConMon, annual assessments, etc, then the cost makes more sense.
Advisory service providers that go beyond the scope of FedRAMP should be considered in the same light. In other words, is it likely that your organization will sustain a very long term relationship with that firm, or not?
When receiving advisory for multiple compliance bodies (FedRAMP, ISO, SOC2, etc), it’s also important to ensure that they are all leveraging the same artifact request workflows so that evidence doesn’t need to be requested multiple times.

Cost optimizing audits when you have a distinct FedRAMP environment

One approach suggested by the group was to try to combine audits as it provides substantial cost savings. However, this approach becomes less attractive if you have a completely distinct government/FedRAMP environment since.

Strategies

3PAO Accountability

  • Interview the 3PAO team Insist on being able to fully interview the team that the 3PAO intends to assign to your project. Imagine that you are hiring FTEs for your organization and interview them in similar fashion. It’s important to ask about how they understand certain abstractions within a FedRAMP context such as containers/k8s, serverless, multi-cloud, etc.
  • Require accountability contract clauses Contracts with 3PAOs should include (but not limited to)
    • Specificity on what are grounds for contract termination
    • Weekly status reports
    • Escalation paths for evidence collection
    • Rules around swapping out consultants (eg interviewing, refusal, etc)

Require the use of your organization’s tracking system

Do not let the 3PAO dictate that you need to use their own tracking system for uploading artifacts, monitoring progress, etc. They should accomodate your workflows, not the other way around.

Anticipate “significant changes” from a contract and budget standpoint

If your company’s product roadmap includes recurring changes that would constitute a ‘significant change’ under FedRAMP then it’s advised to have a separate but complimentary single-year T&M (or FFP) contract with your 3PAO to address significant changes on an adhoc basis

Volunteer to go deeper with auditors as mitigation to PMO meeting risk

If you have a nuanced architecture or data flow, it’s recommended that you go out of your way to go as deep as necessary with your auditors until you feel like they’ll be able to properly tell the story of your environment to the PMO.