The Federal Risk and Authorization Management Program (FedRAMP) helps U.S. federal agencies assess cloud service providers’ security more efficiently. It aims to protect government data and information systems and promote the adoption of secure cloud products and services by federal agencies.
FedRAMP standardizes security requirements and authorizations for SaaS, PaaS, and IaaS cloud services per the Federal Information Security Management Act (FISMA). All cloud service providers (CSPs) that process, transmit, or store government information must use the FedRAMP baseline security controls to obtain security authorization under FISMA.
Any CSP looking to work with a federal government agency must achieve FedRAMP authorization via an Agency Authority to Operate (ATO) or a Provisional Authority to Operate (P-ATO). ATO and P-ATO are the two pathways to achieve FedRAMP compliance for cloud vendors.
Both types of authorization indicate that the CSP has implemented the required cloud security measures to protect sensitive government data. That said, there are differences between these two authorization paths. Understanding FedRAMP is crucial to understanding the differences.
What is FedRAMP?
FedRAMP standardizes and simplifies FISMA compliance for Cloud Service Offerings (CSOs). Through a set of best practices and controls, FedRAMP provides agencies and vendors with a “standardized approach to security and risk assessment for cloud technologies and federal agencies,” to use the FedRAMP website‘s own words.
This government-wide program aims to:
- Assure that all CSOs used by government agencies are adequately protected
- Reduce duplication and cost inefficiencies around risk management
- Create transparent security authorization processes to enable agencies to adopt secure cloud computing systems rapidly
The baseline controls that serve as the foundation for FedRAMP come from the National Institute of Standards and Technology (NIST), specifically in the security framework known as NIST 800-53. The controls in NIST 800-53 encapsulate multiple security and risk areas, including:
- Access control
- Configuration management
- Contingency planning
- Risk assessment
In addition to providing standardized security, assessment, and authorization requirements for cloud products and services, FedRAMP also provides:
- Standardized authorization packages
- A conformity assessment program with qualified independent, third-party security assessors
- A repository for CSO authorization packages that any federal agency can access
- Standardized contract “language” to help agencies seamlessly integrate FedRAMP requirements into CSO acquisitions
These artifacts are based on a security risk-based model, allowing agencies to leverage cloud system authorizations. All CSOs and CSPs must get FedRAMP authorization. (For example, click here to read about FedRAMP and AWS.)
FedRAMP controls are designed, implemented, governed, and maintained by multiple U.S. government agencies, including the Department of Homeland Security (DHS), the Department of Defense (DoD), the General Services Administration (GSA), and, of course, NIST.
The FedRAMP Program Management Office (PMO) manages the program’s day-to-day operations. In addition, the Joint Authorization Board (JAB) issues a Provisional Authority to Operate (P-ATO) for cloud services and CSPs.
What is FedRAMP Authority to Operate (ATO)?
CSPs must first complete a rigorous authorization process to contract with U.S. federal agencies. An Authority to Operate (ATO) FedRAMP certification is one way to achieve authorization.
The ATO is a formal declaration by an agency authorizing the use of a CSO while explicitly accepting the risk of doing so. CSPs work directly with the agency’s security office and an Authorizing Official (AO) to obtain the ATO.
When applying for the ATO, CSPs provide a security authorization package to the agency. Before granting the ATO, the agency will provide a risk review of all the artifacts in the package following FedRAMP requirements.
The documentation is assessed independently, usually by a FedRAMP-accredited Third-Party Assessment Organization (3PAO) that acts on behalf of the federal agency. A 3PAO verifies the CSP’s security implementations and assesses the overall risk posture of its cloud environment to guide the agency’s security authorization decision.
The FedRAMP PMO recommends that agencies select an Independent Assessor (IA) from the FedRAMP 3PAO accreditation program. That’s not required, however; an agency can use a non-accredited IA for the ATO process as long as the agency can provide evidence of the IA’s independence via a letter of attestation.
Once the agency authorizes a CSP’s package, the agency emails the FedRAMP PMO. The PMO will instruct the CSP to submit the package for PMO review. During the review, the PMO will confirm that the package meets FedRAMP standards and publish it in the secure and access-controlled FedRAMP Secure Repository.
Once the AO authorizes a CSP environment for use by the agency, the agency formalizes the decision in an ATO letter, which is then given to the CSP system owner. Then, the CSP is added to the list of authorized CSPs on www.fedramp.gov.
Other agencies can rely on the authorization letter and security package from the Secure Repository to make their own procurement decisions for cloud products and to issue their own ATO to a CSP.
ATO Authorization Phases
The ATO application process varies depending on the CSO requesting authorization and the government systems it is requesting access. But in general, the ATO authorization process consists of four phases:
Establish CSP/Agency Partnership
In this first step, the agency reviews the CSP’s security authorization package and identifies areas where adjustments are required.
Perform Security Assessment
A FedRAMP-accredited 3PAO or a non-accredited IA performs the security assessment. After completing the security assessment, the agency may grant the ATO.
An agency’s ATO does not give the CSP blanket authority to work with all agencies. To work with other agencies, the CSP must go through steps 1 and 2 again. Other agencies can review the CSP’s authorization letter from the ATO-granting agency on the FedRAMP Secure Repository. They can compare the package to their security requirements to determine whether the CSO meets their security standards.
Perform Continuous Monitoring
Once a CSP receives the ATO, it must continuously monitor to maintain authorization. To this end, the CSP must submit a set of monitoring deliverables to the agency using the CSO.
Monitoring assures that the CSP’s security measures are still operating effectively and that its security authorization package is up-to-date. Monitoring also increases visibility into the CSO’s security posture and allows agencies to make informed risk management decisions.
If more than one agency uses the FedRAMP-ready CSO, the CSP must submit these deliverables to all agencies. The CSP must also conduct annual security assessments to assure alignment with security requirements and maintain its FedRAMP ATO.
What is FedRAMP P-ATO?
A CSP can also obtain FedRAMP authorization via a provisional authorization (P-ATO) through the Joint Authorization Board (JAB).
To get a P-ATO, the CSP works with the FedRAMP PMO through its Security Assessment Framework (SAF) and provides documentation in the security authorization package to the JAB. (Remember, in the case of ATO, the package is provided to the agency that will use the CSP’s CSO.)
For P-ATO, the JAB provides a risk review of these documents. An accredited 3PAO independently tests, verifies and validates the CSP’s security assessment package, and JAB then grants the P-ATO.
The JAB also informs federal agencies whether the CSO’s risk posture is acceptable for use at the designated data impact levels. The JAB, however, does not assume the risk for any agency. After vetting a CSP and assessing its security posture, the JAB may grant a P-ATO, but it is still an individual agency’s decision to grant the ATO.
Differences Between ATO and P-ATO
At first glance, the only difference between ATO and P-ATO seems to be the word “provisional,” but there’s a lot more to these ideas than that one word.
Whether the CSP gets ATO or P-ATO authorization, the CSP must obtain an authorization letter from the granting authority. For ATO, the letter is provided by the agency contracting with the CSP; the JAB signs the P-ATO letter.
Another difference between ATO and P-ATO is around continuous monitoring. The FedRAMP PMO manages continuous monitoring activities (yearly and monthly) for systems with a JAB P-ATO. The agency manages these activities for systems with an agency ATO and annually updates a CSP’s security authorization package in the FedRAMP Secure Repository.
A CSP that has earned a FedRAMP JAB P-ATO meets the program’s stringent security and authorization requirements. Agencies can trust that essential data security and cybersecurity measures are in place in the cloud environment, and the agencies don’t have to do their security risk assessments.
FAQs About FedRAMP ATO and P-ATO
How Long Does It Take to Get a FedRAMP ATO?
Three major components of your ATO trip will influence how long it takes to obtain permission. Furthermore, the authorization method you choose (JAB or Agency Sponsor) and the level you seek will influence your timetable. We propose organizing your chronology into four major sections:
- Review of Readiness. Required for JAB authorization and frequently suggested for agency ATO preparation – anticipated to take 1 month.
- Remediation. This is tough to quantify because each company is unique. Most businesses will require 4 to 6 months or more before they are ready (depending on commitment to acquire an ATO).
- Complete security assessment. This is when a 3PAO will conduct an impartial review of your security measures, as well as extensive security testing and vulnerability scanning. Depending on your resources and commitment to acquiring an ATO, this procedure might take 2-4 months to complete.
- The Authorization Procedure. This is the stage at which you collaborate with the JAB or agency/FedRAMP PMO to examine your authorization package and get an ATO. This procedure can take 2 to 3 months or longer, depending on how regularly and openly you communicate with the JAB, your agency and how accurate and thorough your authorization package is.
How to Obtain a FedRAMP Authorization
A FedRAMP Authorization can be obtained in two ways: as a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency.
At any stage within the Agency permission process, agencies may interact directly with a Cloud Service Provider (CSP) for permission. CSPs who cooperate directly with an agency to get an Authority to Operate (ATO) will collaborate with the agency throughout the FedRAMP Authorization process.
Is FedRAMP Authorization Required?
FedRAMP is necessary for every CSP that has created a CSO for use with a federal agency.
FedRAMP rules must be followed whenever a federal agency distributes sensitive government data in the cloud. When an agency seeks a collaboration with a CSP, both parties must collaborate to get authorization.
What are the Best Practices for FEdRAMP Authorization?
Here are some best practices for attempting the many routes to authorization and attaining FedRAMP compliance:
Determine Your Impact Baseline
Your authorization level will depend on the services your CSP offers to federal agencies; this will also define how many security controls you must implement to get authorization.
Three impact baseline levels—low, moderate, and high—are used in the FedRAMP organization. These align with the potential consequences of a breach involving the agency’s information.
Filling the Federal Information Processing Standards Publication 199 (FIPS-199) form is the first step towards FedRAMP compliance. You can find out exactly what risk impact level you need to pursue by using the FIPS-199.
Select Your Authorization Pathway
FedRAMP authorization can be obtained through two primary channels: the Joint Authorization Board (JAB) or a particular Agency. An organization can obtain an Authorization to Operate (ATO) by agency authorization and a Provisional Authorization to Operate (P-ATO) through JAB authorization. The approach you choose should align with your business’s objectives, risk-impact level, and maturity.
Prepare Your POA&M
The initial stage of compliance, FedRAMP authorization, requires a lot of documentation. You must also finish the Plan of Action and Milestones (POA&M) and the FIPS-199. Under the National Institute for Standards in Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, your CSO’s POA&M is a risk management strategy.
Align with Your Third-Party Assessment Organization (3PAO)
Visit the FedRAMP Marketplace for further details on federal agencies, a list of Third-Party Assessment Organizations (3PAOs), and a look at the already listed CSPs. To determine whether your company is ready for your ATO or P-ATO, you must work with a 3PAO to evaluate it and compile your Readiness Assessment Report (RAR).
Prepare for Continuous Monitoring
Following the receipt of your ATO or P-ATO, you have a schedule for continuous monitoring, or ConMon, as it’s known in FedRAMP. Monthly vulnerability scans are part of ConMon.
Planning out your monitoring schedule can help you prepare for this by going over your POA&M again, making sure the appropriate staff members are taking ownership of the controls, and creating an auditing and risk management strategy mainly made to keep your FedRAMP authorization.
Make sure to adequately prepare for this phase, which also necessitates keeping abreast of any updates to FedRAMP compliance standards and security measures applicable to your designated impact level. If you don’t, the JAB or the agency you’re working with may cancel your ATO.
Manage Compliance With ZenGRC
If you are a cloud vendor just starting your FedRAMP compliance journey, you need a tool to streamline the FedRAMP authorization process and make it less overwhelming. You need visibility into your control environment and access to information to evaluate your compliance program. With ZenGRC, you can get all this and more.
ZenGRC provides an integrated and automated system of record to help you stay up-to-date with FedRAMP requirements and ensure continual compliance monitoring. It eliminates tedious manual processes and spreadsheets to provide a fast, easy, prescriptive compliance solution.
Take advantage of ZenGRC to optimize the health of your FedRAMP compliance program. Schedule a demo to get started.