A 3PAO evaluates a cloud provider's systems to ensure transparency between government and cloud providers and consistency in data security strategies. Certified 3PAOs use FedRAMP templates when performing security assessments.
The U.S. General Services Administration (GSA) website lists the following requirements for qualification as a 3PAO:
- Independence and quality management in accordance with ISO/IEC 17020: 1998 standards.
- Information assurance competence that includes experience with FISMA and testing security controls.
- Competence in the security assessment of cloud-based information systems.
See also: Federal Cloud Computing Initiative