Overview:
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
Supplemental Guidance:
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives.
Action Items:
1) Utilize external organizations to assist with security assessments when needed
Related Documents:
1) Security Assessment and Authorization Policy
2) System Security Plan
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CA-2 (3)-1 [any FedRAMP Accredited 3PAO]
CA-2 (3)-1-2 [any FedRAMP Accredited 3PAO]
CA-2 (3)-1-3 [the conditions of the JAB/AO in the FedRAMP Repository]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 629
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/fedramp-external-organizations-ca-2-3-629.html