FedRAMP Agency Authorization to Operate (ATO) Authorization Process
FedRAMP is the program for Cloud Service Providers (CSPs) to gain access and sell to Federal Agencies. By law, agencies can only buy cloud products through the FedRAMP marketplace. It is very important to understand the entire framework and process before applying. Check out our FedRAMP guide for the certification and complianceprocess.
What Is an Agency ATO?
An Agency ATO is one of two paths to secure FedRAMP Authorization. The ATO process involves the Agency and the cloud provider. The JAB does not get involved, but the PMO office does do a final review at the very end. This process is faster than a JAB P-ATO and the Agency is the primary entity performing the authorization process.
Should You Pursue an Agency ATO?
The Agency ATO path is best for most cloud providers. This is a faster process than the JAB P-ATO. If there’s only demand from one or two agencies, then this is a more efficient path. Also, it’s important to know the impact level of the product. If it is Low or LI-SaaS, then it must go through the Agency ATO process. The JAB P-ATO is only for Medium and High impact products.
Here is a checklist for an Agency ATO:
- Narrow use case
- Demand from one or two agencies
- Commitment to see through the entire process
- LI-SaaS and Low impact products must go through an Agency ATO
- Does not qualify or is not competitive under a JAB P-ATO process
- Secured FedRAMP Ready status before applying (not required, but most do so in practice)
Agency ATO is best suited if the product is unlikely to gain selection under the JAB P-ATO process. Note that the product secures the exact same FedRAMP Authorization status under either path. The Agency ATO is actually faster. The difference is that the Agency must invest the time and resources to drive the authorization process. For cloud providers, the Agency ATO results in the same authorization. In practice, other agencies looking to adopt the package will more easily accept a JAB P-ATO than an Agency ATO. The reason is that a JAB P-ATO indicates that the product has broad use cases across agencies. An Agency ATO is specific to that agency itself. So another Agency evaluating an ATO will have to do extra work to determine if it fits within its own org and use case.
How Long Does The FedRAMP Authorization Take Under ATO?
The Agency Authorization (ATO) process takes 4-5 months. The pre-authorization work such as partnership establishment takes two weeks. Then the security assessment takes one month. Once all the planning is complete, the CSP can move forward to the authorization stage. This final stage takes 2-3 months.
CSPs need to prepare to maximize success. One key area that most vendors miss is that it’s easier to build upon a FedRAMP Authorized product. If a vendor uses AWS for its infrastructure, then it doesn’t have to worry about the security at this layer. If it chooses to use its own infrastructure, it must certify that its infrastructure meets hundreds of security controls.
Most successful products leverage existing Authorized products. Most leverage AWS, GCP, Azure or IBM for the infrastructure. Most leverage Box for any content, file or document storage. This enables the vendor to just focus on its core product without worrying about other dependencies.
There are four phases to obtain Agency ATO Authorization
- Partnership Establishment
- Full Security Assessment
- Authorization Process
- Continuous Monitoring
Phase 1: Partnership Establishment
The CSP must formalize a partnership with a specific Agency via FedRAMP’s In Process Requirements. There are two key components to get a FedRAMP In Process designation with an agency. First, the CSP must commit to completing an Authorization process. Second, the Agency must issue written confirmation of the Agency’s intent to authorize and fulfill at least one of four additional requirements.
The Agency Attestation must contain:
- The CSP name
- The CSO name
- An attestation that the partnering agency is actively working with the CSP to grant an ATO in:
- 12 months for Low, Moderate, and High authorizations, or
- Three months for FedRAMP Tailored authorizations
- The impact level (e.g., Low, Moderate, or High) at which the agency will authorize the service offering
- The agency and CSP points of contact who will work with FedRAMP
- The full 3PAO assessment is planned for no more than six months from the date of email
Additional Requirements (At Least One of Four):
- The agency provides proof of a contract award for the use of the CSO
- The agency and CSP demonstrate use of the service offering to the PMO (Note: An email from the Agency AO stating the product is being used by the agency will meet this requirement)
- The CSO is currently listed as FedRAMP Ready on the Marketplace
- Completion of a formal kick-off meeting that includes the agency, CSP, FedRAMP PMO, and, if applicable, 3PAO
CSPs should have full commitment to go through the entire process. Often, a vendor may already be under contract or acquisition process with an agency. At a minimum, the vendor should have one technical writer, one technical SME, and one project manager. They should also complete FedRAMP Training in advance.
The CSPs must complete their System Security Plan (SSP) and have gone through the agency review process before moving to the next phase. Then the Agency partner must approve and sign off on the SSP prior to testing.
After approval, the CSP must create Security Assessment Plan (SAP) with their 3PAO. The SAP is a test plan to assess the system’s security controls. This plan includes a penetration test plan, rules of engagement and inventory worksheet.
Phase 2: Full Security Assessment
Once the SAP is complete, the 3PAO tests the CSP’s system. No changes can be made to the system. The CSP must freeze code development.
The 3PAO then creates a Security Assessment Report (SAR) after completing the test. The SAR contains detailed findings and whether to recommend the system for FedRAMP Authorization.
The CSP develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.
Phase 3: Authorization Process
The sponsoring Agency reviews the assessment, including the SAR and POA&M. It will then request remediation and additional testing if required.
Here is a checklist for the agency:
- Incomplete implementation statements
- Blank fields
- Conflicting implementation status
- Missing or outdated SSP attachments
- Blank fields
- Missing or outdated evidence artifacts
- Skewed methodology and scope
- Conflicting risk levels between SAR Tables 4.1, 5.1, 5.2, 5.3, False Positives, vulnerability scans, and the POA&M
- The inventory to documented in the SAR (Appendix C,D, and E) needs to matches the scanned inventory
- Missing POA&M dates or dates that are beyond FedRAMP requirements for remediation
The Agency review of remediation work can happen on an iterative or linear basis depending on Agency reviewer, CSP, and 3PAO preferences. Once the CSP fixes outstanding issues, the Agency will then conduct a final review. At the end of the remediation phase, there is an in-person remediation close-out meeting to review all changes.
The Agency AO must hold a final briefing. The briefing must contain:
- Overall risk posture and authorization recommendation
- High to Medium or High to Low risk adjustments
- Organizational requirements and why they are required
- Alternative control implementations and why they are necessary
- Continuous monitoring maturity and progress during the ATO process
If the Agency accepts the risk of using the system, it will issue an ATO letter. But that does not mean the Authorization is done. The Agency or CSP then uploads the entire security package, the FedRAMP checklist, and ATO letter to FedRAMP’s Secure Repository on OMB MAX.
The PMO must review the entire package and request remediation. The CSP must fix all technical issues. Once fixes are complete, the PMO will issue the official FedRAMP Authorization.
Phase 4: Continuous Monitoring
FedRAMP Authorization is not a one-time process. The CSP must perform ongoing tasks to retain the Authorization. For example, the CSP must provide monthly continuous monitoring deliverables to the Agencies using their service. These may include an updated POA&M, scan results/reports, system change information/requests. CSPs may use the FedRAMP repository to share monthly material with Agency representatives. However, they do not need to share these materials with the FedRAMP PMO.
The CSP must also complete an annual security assessment with a 3PAO to ensure the risk posture of the system remains acceptable. CSPs then upload the annual assessment, along with updated security authorization package documentation, to the FedRAMP secure repository.