© Copyright 2023 Constellation GovCloud®. All rights reserved.
Cloud service providers (CSPs) looking to provide as-a-service solutions to federal government agencies (and therefore will hold or process government data) are quickly faced with a reality that those solutions must have a FedRAMP Authorization to Operate (ATO) – and that ATO requires a government partner that agrees to sponsor and ultimately grant the initial ATO. Until and unless those rules change – finding a sponsor is the first and arguably most difficult hurdle to overcome when seeking a FedRAMP ATO. Are government agencies your customers? Does your CSO meet the government’s critical mission needs? Will it improve the security, efficiency, and/or the effectiveness of government operations? If you answer yes to any of these, you are very likely standing on the threshold of a journey into FedRAMP – and need to find a sponsor.
Where do You Begin?
The first step in obtaining a FedRAMP ATO is identifying the right path to FedRAMP for your organization. Unlike many other types of compliance certifications, a FedRAMP Authorization is actually an agency-by-agency granting of the authorization to operate within their agency environment. An ATO actually represents an acceptance of risk by a government agency – making a FedRAMP ATO different from other types of certifications. While FedRAMP embraces the concept of re-using an authorization package – cloud providers will need to work with their initial government partner – otherwise known as a sponsor – to obtain their initial ATO. Once that ATO is granted, other agencies can then leverage the existing authorization package (the work done for the first ATO) to grant their own ATO. For sponsorship, there are two paths to consider – agency-sponsored Authorization to Operate (ATO) or Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO).
Agency sponsorship means that a government agency has agreed to shepherd your cloud offering through the FedRAMP process, presumably because they want to use your solution. Agency sponsorship is the most common path to FedRAMP Authorization, representing 70 percent of all FedRAMP ATOs. For the purposes of the FedRAMP conversation, the term agency includes any government department, agency, sub-agency, or otherwise-named government organizational entity that purchases cloud solutions.
If your solution meets important needs of a specific government agency or a handful of agencies, and/or there are agencies who have expressed a desire to use your cloud solution or are already using an on-prem version of that solution, an agency-sponsored FedRAMP Authorization is a great option.
Agencies that agree to sponsor a solution for a FedRAMP Authorization are agreeing to commit certain resources and take on the work and associated with sponsorship. Agencies need to provide an Authorizing Official (AO) and an Information Systems Security Officer or Manager (ISSO or ISSM) who can review significant amounts of documentation throughout the process, review monthly continuous monitoring reports, track Plan of Action and Milestones (POA&M) progress, and review annual re-assessment reports as well as system significant change requests and associated audit reports. Since many smaller agencies and sub-agencies don’t have team members with these skills or scheduling bandwidth, they may leverage resources of their parent agencies or departments.
Agency Authorization Process
In both agency and JAB sponsorship, there are a few key steps and milestones that move an offering from preparation through authorization and into continuous monitoring (ConMon). In both cases, the process is overseen by the FedRAMP Program Management Office (PMO), adding consistency to the experience. And while agency-sponsorship and JAB processes are similar, there are a few key differences for agency authorization.
- First, unless a specific agency requires it, a formal Readiness Assessment and Readiness Assessment Report (RAR) are not required for an agency-sponsored ATO, saving time, effort and money associated with the cost of the Third-Party Assessment Organization (3PAO) required to complete the assessment. The JAB, on the other hand, required all CSPs to complete a formal Readiness Assessment as a part of their authorization process.
- Second, agencies are laser-focused on their specific business objectives and associated risk posture – and partner with CSPs accordingly for the purposes of authorizing the use of cloud software. An agency may be willing to grant an ATO and accept certain risks associated with less-than-textbook controls implementation approaches (for non-critical controls) that make sense for their specific organizational needs that wouldn’t be considered “generally and broadly” acceptable as required for a JAB authorization.
- Third, agencies may add additional agency-specific controls requirements that go above and beyond the FedRAMP-defined baseline if those controls make sense for that agency’s risk posture and business needs.
It should be noted that while Agency ATOs can be less cumbersome than JAB P-ATOs, that isn’t guaranteed. Agencies may choose to require a formal 3PAO Readiness Assessment in addition to requiring their own additional controls. Further, many smaller agencies don’t have the experience or in-house expertise to provide the AO or ISSO/ISSM services they will need, requiring them to leverage their parent agency for support and ATO oversight – which can slow down or complicate the process.
JAB Provisional Authorization
The JAB is FedRAMP’s primary governing body and includes Chief Information Officers (CIOs) of three federal organizations: Department of Defense (DoD), General Services Administration (GSA), and the Department of Homeland Security (DHS). Just like with agencies, the JAB leverages the FedRAMP PMO (run by the GSA) and oversees movement of cloud offerings through the process.
A JAB authorization is actually a Provisional Authorization to Operate (P-ATO) simply because the JAB cannot accept risk on behalf of any agency. Agencies can then re-use the generally-available P-ATO package to grant their own ATO. Remember, a FedRAMP ATO is granted by an agency and represents risk acceptance associated with using the authorized solution. This means the JAB Authorization Process may have a slightly higher degree of scrutiny and adherence to the letter of the law for FedRAMP-defined baseline controls as they aren’t in the business of making exceptions or accommodating any specific agency needs. So, while an agency can grant an ATO with some reasonable agency-specific implementation leeway for certain non-critical controls, the JAB will not do the same.
JAB Provisional Authorization Process
Like the agency authorization process, the JAB process involves some key steps and milestones that move an offering from preparation through authorization and into ConMon. Unlike the agency process however, where any one of a large number of agencies can agree to sponsor, the JAB only has resources to process 12 CSPs each year. For the hundreds of CSPs looking to obtain a FedRAMP ATO, only a select few will be chosen for JAB Authorization. Some key attributes of the JAB process:
- FedRAMP Connect – Due to the JAB’s limited resources and broad government-wide focus, a CSP wanting a JAB P-ATO must apply for consideration through FedRAMP Connect – which involves a standardized, criteria-based analysis of each solution that guides prioritization based on demand and desirability.
- Demand – CSPs must complete a Business Case showing government-wide need for the CSO. A demand scoring Rubric adds objectivity to the selection process.
- Desirability – CSOs must have features or offer characteristics that will meet pressing government needs such as addressing regulatory requirements or filling identified gaps in existing government software stacks.
- Readiness Assessment – JAB authorization requires a formal Readiness Assessment as evidenced by a Readiness Assessment Report (RAR) completed by a 3PAO prior to full assessment. Additionally, the RAR must meet JAB standards – which can vary from a RAR provided for an agency-sponsored ATO. If a CSP doesn’t have a RAR that meets JAB standards, they will need one within 60 days of being prioritized/selected for JAB P-ATO.
FedRAMP Authorization: Not a One-and-Done Effort
For both agency ATOs and JAB P-ATOs, authorization is actually the beginning of a long-term commitment to a continuous, attestable approach to delivering low-risk cloud solutions. Whether an agency or the JAB, whoever sponsors a CSO through the initial ATO process is also agreeing to ongoing continuous monitoring, change management/significant change assessments, and annual reassessment reviews.
Whether FedRAMP authorization is achieved through an agency or JAB, the benefits of the existing authorized (and re-usable) FedRAMP package remain the same. Subsequent agencies that wish to grant their own ATO are able to leverage that package, significantly reducing the amount of time and effort required to deploy into their operations.