The American Association for Laboratory Accreditation (A2LA) has released an updated version of the R311 policy document, which outlines the requirements for all FedRAMP recognized third-party assessment organizations (3PAOs) and organizations seeking A2LA accreditation to be recognized by FedRAMP.
In a blog post, FedRAMP said that the update includes “significant changes” to the R311 and “encourages assessors to read the updates in their entirety.” The majority of the requirements take effect immediately and will be assessed during each 3PAO’s upcoming A2LA assessment.
In a statement, A2LA highlighted a few of the changes included in the new policy document:
- “For corrective actions, a 75-day resolution timeframe will now be closely monitored. Immediate action is taken for exceeding this timeframe starting with any assessments that occur after the release date.
- 3PAOs that allow their accreditation to lapse will lose their FedRAMP recognition and be required to re-enter the qualification process as an A2LA Cybersecurity Inspection Body (including the 1 year waiting period).
- The use of 3PAO owned/developed tools requires documented rationale for maintaining impartiality between the 3PAO and the [cloud service provider]. This rationale will be review/approved by A2LA and the FedRAMP [Program Management Office].
- The personnel requirements have more specified qualifications for the defined roles and we have introduced a junior assessor role (and removed the quality representative).
- The training plan now has minimum requirements for at least 6 hours per knowledge area and an updated total required 32 hours of training annually. Records of training need to be maintained along with evidence that the training has been signed off by a designated individual.
- The requirement allowing the subcontracting requirements to be waived if using another 3PAO has been removed.
- Any organization [that] has not completed an assessment in a calendar year (based on the A2LA expiration date) will need to send a representative team through the [ Baltimore Cyber Range] exercise to maintain their FedRAMP recognition. This will be tracked through each A2LA interaction (annual review or renewal).”
A2LA did note that the updated personnel requirements will not be fully implemented until January 1, 2022. The statement noted that if the personnel currently holding impacted roles do not have the required qualifications, the organization has until January 1, 2022, to either re-assign the role to a qualified individual or ensure the current individual is maintaining the required qualifications.