As cloud service providers (CSPs) quickly learn when looking to provide solutions for federal government agencies, achieving a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data. Are government agencies your customers? Does your CSO meet the government’s critical mission needs? Will it improve the security, efficiency, and/or the effectiveness of government operations? If you answer yes to any of these, you are very likely standing on the threshold of a journey into FedRAMP.
Where do You Begin?
The first step in obtaining a FedRAMP ATO is identifying the right path to FedRAMP for your organization. Unlike many other types of compliance certifications, FedRAMP Authorization is actually the granting of an “Authority to Operate” in government environments rather than a generic certification. A FedRAMP ATO represents an acceptance of risk associated with the cloud solution on the part of a government agency – and therefore requires a government sponsor. For sponsorship, there are two paths to consider – agency-sponsored Authorization to Operate (ATO) or Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO).
Agency sponsorship means that at least one agency is willing to shepherd your cloud offering through the FedRAMP process, presumably because they want to use your solution. Agency sponsorship is the most common path to FedRAMP Authorization, representing 70 percent of all FedRAMP ATOs. For the purposes of the FedRAMP conversation, the term agency includes any government department, agency, sub-agency, or otherwise-named government organizational entity that purchases cloud solutions.
If your solution meets important needs of a specific government agency or a handful of agencies, and/or there are agencies who have expressed a desire to use your cloud solution or are already using an on-prem version of that solution, an agency-sponsored FedRAMP Authorization is a great option.
Agencies that agree to sponsor a solution for a FedRAMP Authorization are agreeing to commit certain resources and take on the work and associated with sponsorship. Agencies need to provide an Authorizing Official (AO) and an Information Systems Security Officer or Manager (ISSO or ISSM) who can review significant amounts of documentation throughout the process, review monthly continuous monitoring reports, track Plan of Action and Milestones (POA&M) progress, and review annual re-assessment reports as well as system significant change requests and associated audit reports. Since many smaller agencies and sub-agencies don’t have team members with these skills or scheduling bandwidth, they may leverage resources of their parent agencies or departments.
Agency Authorization Process
In both agency and JAB sponsorship, there are a few key steps and milestones that move an offering from preparation through authorization and into continuous monitoring (ConMon). In both cases, the process is overseen by the FedRAMP PMO, adding consistency to the experience. And while agency-sponsorship and JAB processes are similar, there are a few key differences for agency authorization.
- First, unless a specific agency requires it, a formal Readiness Assessment and Readiness Assessment Report (RAR) are not required, saving time, effort and money associated with the cost of the Third-Party Assessment Organization (3PAO) required to complete the assessment.
- Second, an agency may be willing to grant an ATO and accept certain risks associated with less-than-textbook controls implementation approaches (for non-critical controls) that make sense for their specific situation that wouldn’t be considered acceptable as part of a JAB authorization.
- Third, many agencies add additional agency-specific controls requirements that go above and beyond the FedRAMP-defined baseline.
It should be noted that while Agency ATOs can be a little less cumbersome than JAB P-ATOs, that isn’t guaranteed. Agencies may choose to require a formal 3PAO Readiness Assessment in addition to requiring their own additional controls. Further, many smaller agencies don’t have the experience or in-house expertise to provide the AO or ISSO/ISSM services they will need, requiring them to leverage their parent agency for support and ATO oversight – which can slow down or complicate the process.
JAB Provisional Authorization
The JAB is FedRAMP’s primary governing body and includes Chief Information Officers (CIOs) of three federal organizations: Department of Defense (DoD), General Services Administration (GSA), and the Department of Homeland Security (DHS). Just like with agencies, the JAB leverages the FedRAMP PMO (run by the GSA) and oversees movement of cloud offerings through the process.
A JAB authorization is actually a Provisional Authorization to Operate (P-ATO) simply because the JAB cannot accept risk on behalf of any agency. Agencies can then re-use the generally-available P-ATO package to grant their own ATO. Remember, a FedRAMP ATO is granted by an agency and represents risk acceptance associated with the solution. This means the JAB Authorization Process may have a slightly higher degree of scrutiny and adherence to the letter of the law for FedRAMP-defined baseline controls as they aren’t in the business of making exceptions or accommodating any specific agency needs. So, while an agency can grant an ATO with some reasonable leeway around certain non-critical controls, the JAB will not do the same.
JAB Provisional Authorization Process
Like the agency authorization process, the JAB process involves some key steps and milestones that move an offering from preparation through authorization and into ConMon. Unlike the agency process however, where any one of a large number of agencies can agree to sponsor, the JAB only has resources to process 12 CSPs each year. For the hundreds of CSPs looking to get their solutions FedRAMPed, only a select few will be chosen for JAB Authorization. Some key attributes of the JAB process:
- FedRAMP Connect – Due to the JAB’s limited resources and thorough, no agency-specific exceptions approach to authorization, a CSP wanting a JAB P-ATO must apply for consideration through FedRAMP Connect – which involves a standardized, criteria-based analysis of each solution that guides prioritization based on demand and desirability.
- Demand – CSPs must complete a Business Case showing government-wide need for the CSO. A demand scoring Rubric adds objectivity to the selection process.
- Desirability – CSO must have features or offer characteristics that will meet pressing government needs such as addressing regulatory requirements or filling identified gaps in existing government software stacks.
- Readiness Assessment – JAB authorization requires a formal Readiness Assessment as evidenced by a Readiness Assessment Report (RAR) completed by a 3PAO prior to full assessment. If a CSP doesn’t have a RAR, they will need one within 60 days of being prioritized/selected for JAB P-ATO.
FedRAMP Authorization: Not a One-and-Done Effort
For both agency ATOs and JAB P-ATOs, authorization is actually the beginning of a long-term commitment to a continuous, attestable approach to delivering low-risk cloud solutions. Whether an agency or the JAB, whoever sponsors a CSO through the process is also agreeing to ongoing continuous monitoring, change management/significant change assessments, and annual re-assessment reviews.
Whether FedRAMP authorization is achieved through an agency or JAB, the benefits of the existing authorized (and re-usable) FedRAMP package remain the same. Subsequent agencies that wish to grant their own ATO are able to leverage that package, significantly reducing the amount of time and effort required to deploy into their operations.
Constellation GovCloud (CGC), a Merlin Cyber offering, is a pre-built, FedRAMP authorized Platform-as-a-Service hosted on AWS GovCloud and designed to host SaaS solutions seeking FedRAMP Authorization to Operate (ATO) within federal agencies. Our goal is to absorb a bulk of the underlying technical, operational and management burden, limiting the impact to our partners and allowing them to focus primarily on their specific SaaS operations and controls. We help our partners get to FedRAMP faster and with significantly less financial and resource commitments. Learn more.