3PAO's that have completed security packages for a PaaS and delivered them to the FedRAMP JAB

[cortneywrose]

Question/Comment

Name and affiliation

Cortney Rose - Proposal Manager for Booz Allen Hamilton, FedRAMP 3PAO

Section of RFQ documents

Technical Response Form - cloud.gov 3PAO Services - Phase 1 - Minimum Requirements

Question/Comment

Currently, there are only two 3PAO's that have completed security packages for a PaaS and delivered them to the FedRAMP JAB. Coalfire has conducted ten assessments and Kratos SecureInfo has conducted two. Is this bid limited to these two 3PAOs? Suggest requirement be rewritten to state, "The 3PAO has previously completed 3PAO assessments for CSPs and has performed work with GSA."

[kagreen70]

The FedRAMP authorized assessors page shows more than two 3PAO’s have completed and delivered security packages for PaaS. This RFQ is not being limited to only two 3PAO’s. This requirement is not only for 3PAO’s who have previously completed 3PAO assessments for CSPs and has performed work with GSA. As stated in the RFQ, both PaaS Agency Authorization and JAB Authorization are accepted, so long as the 3PAO has completed a Readiness Assessment, Initial Assessment or Annual Assessment for a FedRAMP PaaS cloud system.