Is your 3PAO delivering? Or where is the ROI?

I just got off a call with another disgruntled customer. Not my customer … well, not yet. He is the customer of another Third Party Assessment Organization (3PAO) and is very unhappy. Not really with the 3PAO but with himself for not being as informed as he could have been during the market research phase and being a little more selective during the acquisition process. What happened and how did he get to this point? Could this have been prevented? How would you recover from this situation?

Perhaps it is the new climate on pricing, where everyone is responding to Low Price Technically Acceptable (LPTA) solicitations. Maybe it is the need to reduce costs to the absolute minimum to maintain profitability?  I’m not really sure, but this isn’t the first time we are hearing from a company unhappy with the support they are receiving and who are looking at different sources to get help with their FedRAMP accreditation. Another customer we recently started working with first tried (unsuccessfully) to draft a FedRAMP package themselves, then hired a “consultant” (not a 3PAO, also unsuccessful) and then decided to have EmeSec help with their documentation.

A common problem we see is the Cloud Service Provider (CSP) that does not understand the sheer volume of information required to produce a FedRAMP package.  The System Security Plan (SSP), just one of a number of required documents, can be 600 to 700 pages long.  Some CSPs don’t have a compliant SSP and associated documents before they start the process, and that can take a tremendous amount of effort both from the CSP and the 3PAO.  Unfortunately, some 3PAOs seem to down play the effort required to produce the documentation and will gloss over this during the sales process.  This leads to additional costs and time later.

Another problem is that some 3PAOs are treating all cloud solutions the same, whether it is IaaS, PaaS or a SaaS.  We know that every system is unique.  The size, architecture and complexity of the system can all affect the cost of the 3PAO engagement.  The complexity and size can complicate a number of policies and processes.  The type of technologies deployed within the system can impact the security posture and make it harder to document the system and its boundaries.   For our team, a simple description of the system can lead us to understand the issues we might face during the pre-assessment consulting, testing or continuous monitoring phases.

Some of the key aspects we review during our pre-assessment process include:

  • General description of your cloud solution
  • Overview of the basic technologies employed by the system
  • Number and type of server types (database servers, web servers)
  • Description of the system boundary
  • Number and types of inherited controls
  • Does the CSP have any preexisting certifications (ISO, government ATO, SOC)?

We have met with a number of clients who weren’t asked these types of questions during their search for a FedRAMP partner and are surprised after selecting one to find that the costs have escalated during the engagement. As you begin your search for a 3PAO partner, or if you are considering changing you current 3PAO, you may want to consider these and other areas that affect the assessment and monitoring costs that can slow down your ability to quickly recover your FedRAMP investment.