FedRAMP ATO Process

Subpage:

FedRAMP Overview:

The Federal Risk and Authorization Management Program, or FedRAMP, was conceived as a way to minimize cybersecurity risk for federal agencies as they move to the cloud. FedRAMP prescribes a standardized approach to security assessment, authorization and continuous monitoring for U.S. government agencies' use of cloud-based products and services. Federal agencies depend on this program to protect the confidentiality, integrity, availability, accountability and to obtain assurance of their data security when adopting private-sector software, infrastructure or platform-as-a-service technologies abbreviated as – SaaS, IaaS and PaaS– respectively. Vendors of cloud services – what the program calls cloud service providers, or CSPs – follow prescribed paths to certification. Third-party assessment organizations conduct thorough assessments while the FedRAMP Program Management Office offers oversight and advice in addition to reviewing submissions and making authorization decisions.

FedRAMP Overview

Advantages of FedRAMP

The FedRAMP program offers a standardized, "do once, use many times" framework to save federal agencies time, effort and money when assessing security. At the same time, agencies retain control of the level of cybersecurity risk they are willing to accept for a particular cloud service. Agencies can evaluate authorized cloud vendors' submission packages and decide for themselves whether the risk posture is acceptable for their needs, or if they want to make changes.

What Is FedRAMP Compliance?

In order for a commercial cloud service offering (CSO) to be used by a federal agency, the CSO must demonstrate FedRAMP compliance - which is the ability to substantiate adherence to government security requirements outlined in NIST 800-53 and supplemented by the FedRAMP Program Management Office (PMO). In simpler terms, cloud service providers (CSP) demonstrate FedRAMP compliance by obtaining a FedRAMP authorization, or FedRAMP Authority to Operate (ATO).

FedRAMP Compliance Requirements

Listed below are the high-level requirements to achieve FedRAMP compliance:

Complete FedRAMP documentation, including the FedRAMP SSP.
Implement controls in accordance with FIPS 199 categorization
Have CSO assessed by a FedRAMP Third Party Assessment Organization (3PAO)
Remediate findings
Develop Plan of Action and Milestones (POA&M)
Obtain Agency ATO or Joint Authorization Board (JAB) Provisional ATO (P-ATO)
Implement a Continuous Monitoring (ConMon) program to include monthly vulnerability scans

Note: In addition to the aforementioned high-level requirements, GSA showstoppers must be taken into consideration. Failure to address GSA showstoppers will preclude Authorization. See Authority To Operate for the list of GSA Showstoppers.

What Are the Different Paths to Achieve FedRAMP Compliance?

There are two distinct paths to demonstrate FedRAMP compliance or obtain a FedRAMP authorization or ATO.

The first path is to obtain a FedRAMP ATO directly from a federal agency.
The second, and more difficult, path is to receive a FedRAMP P-ATO from the JAB. There are also two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB), and an Agency Authority to Operate (ATO).

What is FedRAMP JAB?

The Joint Authorization Board (JAB): The primary governance and decision-making body for FedRAMP are the Chief Information Officers (CIOs) from the Department of Homeland Security (DHS), U.S. General Services Administration (GSA), and Department of Defense (DOD).

JAB P-ATO Authorization

FedRAMP JAB Chart

*Note: The typical timeline for completing all FedRAMP related activities can range from 8-12 Months