Skip to content

Page Info

Description: Overview of why you need an assessor for Class B/C/D, don't confuse them with advisors, when to get involved with an assessor (early plz), and how to find them on the Marketplace.

Purpose: Folks will know they need to get a FedRAMP Recognized assessor when they are ready to go for Class B or up, and that sometimes it's okay to engage with them earlier.

Finding an Assessor

Partnering with a FedRAMP Recognized Independent Assessment Service (often referred to as an "independent assessor" or simply an "assessor") is a mandatory step for any cloud provider aiming for FedRAMP Certification Class B, C, or D.

These experts perform the initial assessment to obtain FedRAMP Certification and provide ongoing assessment to maintain it. Given their vital role, providers are encouraged to engage an assessor as early as possible.

FedRAMP Marketplace

A list of FedRAMP Recognized assessors can be found on the FedRAMP Marketplace under the “Assessors” tab.

You can browse the list of FedRAMP Recognized assessors in alphabetical order, or you can filter and sort for the qualifications and expertise you are looking for in an assessor.

FedRAMP Marketplace Independent Assessment Services Listings

FedRAMP provides information about Independent Assessment Services for the convenience of the public based on a formal FedRAMP Recognition process; listing in the FedRAMP Marketplace does represent an endorsement by FedRAMP for any business.

Consider the Vibes

Choosing an assessor wisely gains you a knowledgeable partner who can guide you through their assessment methodology beforehand, results after, and potentially throughout your ongoing certification.

A poor choice can lead to significant delays, increased costs, and frustration, so knowing what to look for and getting engaged with an assessor early can offset or minimize many of these issues.

It’s a good practice to:

  • Interview multiple FedRAMP Recognized assessors. Don't settle for the first one you talk to.
  • Get proposals from at least 2-3 FedRAMP Recognized assessors to compare their approaches, expertise, tools, and pricing.
  • Ensure that they demonstrate good communication and are consistently responsive to your questions and concerns.

Review Qualifications

Verify assessor personnel are subject matter experts on FedRAMP and the specific components and underlying technologies of your service.

  • When you ask questions about FedRAMP, generally, can they speak to the similarities and differences between Rev5 and 20x? The different classes?
  • Check for their knowledge of specific platforms, third party services, or deployment models (serverless, kubernetes, etc.), and their ability to perform code review of automated validations.
  • Look to see if their personnel have relevant industry certifications like CISSP, CISA, and CEH as well as cloud-specific security certifications like AWS Certified Security, Azure Security Engineer, and Google Professional Cloud Security Engineer.

FedRAMP Recognition is a Minimum Bar

FedRAMP Recognition and the related A2LA Certification requirements establish a minimum bar for independent assessment services focused on administrative capabilities and basic requirements. Neither party reviews expertise and experience in significant depth, and especially technical expertise and familiarity with recent changes will vary widely among assessment services.

Review Experience

Evaluate what their level of engagement is with FedRAMP in performing assessment activities and keeping up-to-date with programmatic updates.

  • What types of FedRAMP Certification paths or classes have they have already assessed?
  • Have they been an independent assessor for the Rev5 or 20x path?
  • How many clients have they helped achieve FedRAMP Certification?
  • Check to see how active they are in participating in FedRAMP events and public discussion forums.

Check Past Performance and Reputation

Investigate their track record with FedRAMP and what others in the FedRAMP ecosystem have said about the quality of their services.

  • Speak to other cloud providers they have worked with. Ask about their experience, responsiveness, expertise, and overall satisfaction.
  • Check their past performance with FedRAMP. How many performance issues or corrective actions have been issued by FedRAMP? Is the assessor currently in "Remediation” on the FedRAMP Marketplace?
  • Marketing teams in every company love displaying endorsements. Look at testimonials on their website, LinkedIn, the Better Business Bureau, etc.

Comments