5 Things to Look for in Choosing a 3PAO
By Corey Clements
In my recent post, “Look before You Leap: The Value of FedRAMP Pre-Assessment,” I compared earning FedRAMP authorization to climbing Mt. Everest. Both require the assistance of an experienced guide, in addition to independent preparation. While I enjoy hiking, I’ve never attempted to summit Mt. Everest. (The 2015 film by Icelandic director Baltasar Kormákur did not make it seem appealing.) I imagine the assistance of Sherpas is vital to success. Similarly, 3PAOs play a critical role in your quest for FedRAMP authorization, so you must choose wisely.
By definition, a 3PAO is certified and performs security assessments in accordance with FedRAMP requirements. But, like all service providers, they are not created equal. At SecureIT, we suggest looking for the following five traits in a 3PAO.
1. Strong Corporate Track Record
Reliability is a key attribute to seek in any vendor. No one wants to be stuck with a fly-by-night service provider. Look for a firm which covers the full spectrum of cybersecurity, risk, and audit services, and has experience helping commercial as well as government entities. Longevity is also critical, both for the firm itself, as well as for the individual staff members on the delivery team. You need the support of a vendor that has a proven track record, and a deep understanding of Federal regulations and compliance.
2. Good Listeners
A quality 3PAO should conduct a thorough intake process to understand your unique business goals and needs. No two organizations are the same, and none should be treated as such. Look for a 3PAO that actually talks to their customers and strives to understand their specific situations. If the project kickoff consists of, “Credit card number, please?” and not much else, you may want to keep searching.
FedRAMP authorization should be a business enabler, not a business impediment. Look for a 3PAO with a track record of success in a variety of industries, understands the business component of your FedRAMP objectives and will tailor their approach accordingly. A cookie-cutter approach to FedRAMP authorization can be dangerous and overly burdensome. A good 3PAO should be flexible, and serve as a true partner in your success.
4. A Partner into the Future
3PAO firms can also make great advisors when not engaged as a 3PAO. As your business grows, it’s certainly advantageous to employ the FedRAMP strategy of, “do once, use many times” and continually leverage the same firm. Look for a firm where you can leverage their people, methodologies, and broad expertise. Do you have other compliance needs such as SOC2 and NIST 800-171? Could you use some help in standing up a Vendor IT Risk Management program? In need of a more cost-effective penetration testing and scanning solution? A good 3PAO advisor should have expertise in many areas, and be able to partner with your organization as it grows.
Also, seek a firm that is willing to help transfer knowledge and build skills internally within your team. While it may be true that skilled consultants often work themselves out of a job, you don’t want a 3PAO who functions without a plan and readiness to empower and propel your team and resources.
5. Plays Well with Others
A 3PAO that certifies your FedRAMP authorization cannot be the same party who does advisory and solution work. Therefore, you’ll more than likely engage with two or more firms to achieve your FedRAMP goals. SecureIT prides itself on effectively teaming with other 3rd parties to efficiently achieve our clients’ FedRAMP objectives. Every day, we help our customers achieve FedRAMP authorization by successfully partnering, sometimes as the selected 3PAO assessor and oftentimes as trusted advisors implementing controls required for FedRAMP authorization. If and when multiple parties are engaged, choose a FedRAMP partner that comes truly ready to team for your success.