FedRAMP FedRAMP Third-Party Assessment & Supply Chain

Question 1

What is the primary role of a Third-Party Assessment Organization (3PAO) in the FedRAMP authorization process?

Accepted Answer

To independently test and evaluate a CSP's security controls and produce a Security Assessment Report

Answer

To grant the Authorization to Operate to the cloud service provider

Answer

To develop the System Security Plan on behalf of the CSP

Answer

To monitor the CSP's compliance after authorization is granted

Question 2

Which organization accredits Third-Party Assessment Organizations (3PAOs) to perform FedRAMP assessments?

Accepted Answer

American Association for Laboratory Accreditation (A2LA)

Answer

National Institute of Standards and Technology (NIST)

Answer

Department of Homeland Security (DHS)

Answer

General Services Administration (GSA)

Question 3

What document does a 3PAO produce that outlines the planned scope, methodology, and schedule for a FedRAMP security assessment?

Accepted Answer

Security Assessment Plan (SAP)

Answer

System Security Plan (SSP)

Answer

Security Assessment Report (SAR)

Answer

Plan of Action and Milestones (POA&M)

Question 4

In FedRAMP supply chain risk management, what does SCRM stand for?

Accepted Answer

Supply Chain Risk Management

Answer

Security Control Remediation Methodology

Answer

System Configuration and Risk Monitoring

Answer

Software Component Reliability Measurement

Question 5

How must a FedRAMP CSP handle external services or APIs that are integrated into their authorized cloud offering?

Accepted Answer

External services must be documented in the SSP and assessed as part of the authorization boundary or accepted as risk

Answer

External services are automatically inherited from their own FedRAMP authorizations

Answer

External services are excluded from FedRAMP scope if the vendor is a US-based company

Answer

External services only need documentation if they process classified data

Question 6

What is the FedRAMP requirement regarding 3PAO independence from the CSP they are assessing?

Accepted Answer

The 3PAO must have no financial or organizational conflict of interest with the CSP being assessed

Answer

The 3PAO must be located in a different state than the CSP

Answer

The 3PAO must have assessed at least 5 other cloud providers before assessing the CSP

Answer

The 3PAO must be approved by the specific federal agency sponsoring the authorization