The Federal Risk and Authorization Management Program (FedRAMP) helps U.S. federal agencies to assess the security of cloud service providers more efficiently. It is aimed at protecting government data and information systems and promoting the adoption of secure cloud products and services by federal agencies.
FedRAMP standardizes security requirements and authorizations for SaaS, PaaS, and IaaS cloud services per the Federal Information Security Management Act (FISMA). All cloud service providers (CSPs) that process, transmit, or store government information must use the FedRAMP baseline security controls to obtain security authorization under FISMA.
Any CSP looking to work with a federal government agency must achieve FedRAMP authorization either via an Agency Authority to Operate (ATO) or a Provisional Authority to Operate (P-ATO). Simply put, ATO and P-ATO are the two pathways to achieve FedRAMP compliance for cloud vendors.
Both types of authorization indicate that the CSP has implemented the required cloud security measures to protect sensitive government data. That said, there are differences between these two authorization paths. To understand the differences, understanding FedRAMP is crucial.
What is FedRAMP?
FedRAMP standardizes and simplifies FISMA compliance for cloud service offerings (CSOs). Through a set of best practices and controls, FedRAMP provides agencies and vendors with a “standardized approach to security and risk assessment for cloud technologies and federal agencies,” to use the FedRAMP website‘s own words.
This government-wide program aims to:
- Assure that all CSOs used by government agencies are adequately protected
- Reduce duplication and cost inefficiencies around risk management
- Create transparent security authorizations processes to enable agencies to rapidly adopt secure cloud computing systems
The baseline controls that serve as the foundation for FedRAMP come from the National Institute of Standards and Technology (NIST), specifically in the security framework known as NIST 800-53. The controls in NIST 800-53 encapsulate multiple security and risk areas including:
- Access control
- Configuration management
- Contingency planning
- Risk assessment
In addition to providing standardized security, assessment, and authorization requirements for cloud products and services, FedRAMP also provides:
- Standardized authorization packages
- A conformity assessment program with qualified independent, third-party security assessors
- A repository for CSO authorization packages that any federal agency can access
- Standardized contract “language” to help agencies seamlessly integrate FedRAMP requirements into CSO acquisitions
These artifacts are based on a security risk-based model that allows agencies to leverage authorizations for cloud systems. All CSOs and CSPs must get FedRAMP authorization. (For example, click here to read about FedRAMP and AWS.)
FedRAMP controls are designed, implemented, governed, and maintained by multiple U.S. government agencies, including the Department of Homeland Security (DHS), the Department of Defense (DoD), the General Services Administration (GSA), and of course, NIST.
The program’s day-to-day operations are managed by the FedRAMP Program Management Office (PMO). In addition, the Joint Authorization Board (JAB) issues a Provisional Authority to Operate (P-ATO) for cloud services and CSPs.
What is FedRAMP Authority to Operate (ATO)?
To contract with U.S. federal agencies, CSPs must first complete a rigorous authorization process. One way to achieve authorization is via an Authority to Operate (ATO) FedRAMP certification.
The ATO is a formal declaration by an agency authorizing the use of a CSO while explicitly accepting the risk of doing so. To obtain the ATO, CSPs work directly with the agency’s security office and an Authorizing Official (AO).
When applying for the ATO, CSPs provide a security authorization package to the agency. Before granting the ATO, the agency will provide a risk review of all the artifacts in the package in accordance with FedRAMP requirements.
The documentation is assessed independently, usually by a FedRAMP-accredited third-party assessment organization (3PAO) that acts on behalf of the federal agency. A 3PAO verifies the CSP’s security implementations and assesses the overall risk posture of its cloud environment to guide the agency’s security authorization decision.
The FedRAMP PMO recommends that agencies select an Independent Assessor (IA) from the FedRAMP 3PAO accreditation program. That’s not required, however; an agency can use a non-accredited IA for the ATO process as long as the agency can provide evidence of the IA’s independence via a letter of attestation.
Once the agency authorizes a CSP’s package, the agency emails the FedRAMP PMO. The PMO will instruct the CSP to submit the package for PMO review. During the review, the PMO will confirm that the package meets FedRAMP standards and publish it in the secure and access-controlled FedRAMP Secure Repository.
Once the AO authorizes a CSP environment for use by the agency, the agency formalizes the decision in an ATO letter which is then given to the CSP system owner. Then the CSP is added to the list of authorized CSPs on www.fedramp.gov.
Other agencies can rely on the authorization letter and security package from the Secure Repository to make their own procurement decisions for cloud products and to issue their own ATO to a CSP.
ATO Authorization Phases
The ATO application process varies depending on the CSO requesting authorization and the government systems to which it is requesting access. But in general, the ATO authorization process consists of four phases:
-
Establish CSP/Agency Partnership
In this first step, the agency reviews the CSP’s security authorization package and identifies areas where adjustments are required.
-
Perform Security Assessment
A FedRAMP-accredited 3PAO or a non-accredited IA performs the security assessment. After completing the security assessment, the agency may grant the ATO.
-
Complete Authorization
An agency’s ATO does not give the CSP blanket authority to work with all agencies. To work with other agencies, the CSP must go through steps 1 and 2 again. Other agencies can review the CSP’s authorization letter from the ATO-granting agency on the FedRAMP Secure Repository. They can compare the package to their own security requirements to determine whether the CSO meets their security standards.
-
Perform Continuous Monitoring
Once a CSP receives the ATO, it must perform continuous monitoring to maintain authorization. To this end, the CSP must submit a set of monitoring deliverables to the agency that’s using the CSO.
Monitoring assures that the CSP’s security measures are still operating effectively and that its security authorization package is up-to-date. Monitoring also increases visibility into the CSO’s security posture and allows agencies to make informed risk management decisions.
If more than one agency uses the FedRAMP-ready CSO, the CSP must submit these deliverables to all agencies. The CSP must also conduct annual security assessments to assure alignment with security requirements and maintain its FedRAMP ATO.
Differences Between ATO and P-ATO
A CSP can also obtain FedRAMP authorization via a provisional authorization (P-ATO) through the Joint Authorization Board (JAB). At first glance the only difference between ATO and P-ATO seems to be the word “provisional,” but there’s a lot more to these ideas than that one word.
To get a P-ATO, the CSP works with the FedRAMP PMO through its security assessment framework (SAF) and provides documentation in the security authorization package to the JAB. (Remember, in the case of ATO, the package is provided to the agency that will use the CSP’s CSO.)
For P-ATO, the JAB provides a risk review of these documents. An accredited 3PAO independently tests, verifies, and validates the CSP’s security assessment package and JAB then grants the P-ATO.
The JAB also informs federal agencies whether the CSO’s risk posture is acceptable for use at the designated data impact levels. The JAB, however, does not assume the risk for any agency. After vetting a CSP and assessing its security posture, the JAB may grant a P-ATO but it is still an individual agency’s decision to grant the ATO.
Regardless of whether the CSP gets ATO or P-ATO authorization, the CSP must obtain an authorization letter from the granting authority. For ATO, the letter is provided by the agency contracting with the CSP; the P-ATO letter is signed by the JAB.
Another difference between ATO and P-ATO is around continuous monitoring. For systems with a JAB P-ATO, the FedRAMP PMO manages continuous monitoring activities (yearly and monthly). For systems with an agency ATO, the agency manages these activities and annually updates a CSP’s security authorization package in the FedRAMP Secure Repository.
A CSP that has earned a FedRAMP JAB P-ATO meets the program’s stringent security and authorization requirements. Agencies can trust that essential data security and cybersecurity measures are in place in the cloud environment and the agencies don’t have to do their own security risk assessments.
Manage Compliance With ZenComply
If you are a cloud vendor just starting your FedRAMP compliance journey, you need a tool to streamline the FedRAMP authorization process and make it less overwhelming. You need visibility into your control environment and access to information to evaluate your compliance program. With ZenComply, you can get all this and more.
ZenComply provides an integrated and automated system of record to help you stay abreast with FedRAMP requirements and ensure continual compliance monitoring. It eliminates tedious manual processes and spreadsheets to provide a fast, easy and prescriptive compliance solution.
Take advantage of ZenComply to optimize the health of your FedRAMP compliance program. Schedule a demo to get started.
