Skip to main content

Agency Authorization

Pursuing a FedRAMP® Agency Authorization

There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.

The Authorization Process

Preparation

The preparation phase consists of two steps: Readiness Assessment and Pre-Authorization.

Readiness Assessment

In the Readiness Assessment step, a CSP may elect to pursue the FedRAMP Ready designation, which is optional for the Agency Authorization process, but highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements. More information regarding steps to achieve FedRAMP Ready can be found on the About FedRAMP Marketplace page.

Back to Graphic for Reference

Pre-Authorization

During the Pre-Authorization step, a CSP formalizes its partnership with an agency via the requirements outlined in FedRAMP Marketplace: Designations for Cloud Service Providers. A CSP also prepares to undergo the authorization process. They make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.

By this stage, a CSP should:

  • Have a system that is fully built and functional
  • Have a leadership team that is committed and fully on board with the FedRAMP process
  • Engage with FedRAMP through the intake process by completing a CSP Information Form
  • Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Section 15 of the System Security Plan (SSP) template, located on the Documents & Templates page) along with the guidance of FIPS 199 Pub 199 [PDF - 78KB] and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on its systems

The final step in Pre-Authorization is to prepare for and conduct a Kickoff Meeting. During the Kickoff Meeting, a CSP and agency will discuss:

  • The background and functionality of the cloud service
  • The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
  • Customer responsible controls that must be implemented and tested by the Agency
  • Compliance gaps and remediation plans
  • A work breakdown structure, milestones, and next steps

Back to Graphic for Reference

Authorization

The authorization phase consists of two steps: Full Security Assessment and Agency Authorization Process.

Full Security Assessment

During the Full Security Assessment step, the 3PAO performs an independent audit of the system. Prior to this step, a CSP should ensure that the SSP is complete and has been reviewed and approved by the agency customer. Additionally, the Security Assessment Plan (SAP) should be developed by a CSP’s 3PAO with their authorizing agency’s input.

During this step, the 3PAO tests the CSP’s system. At the conclusion of testing, the 3PAO develops a Security Assessment Report (SAR) which details their findings from testing and includes a recommendation for FedRAMP Authorization.

The CSP will then develop a Plan of Action and Milestones (POA&M) based on the SAR findings, and include input from the 3PAO, which outlines a plan for addressing the findings from testing.

Back to Graphic for Reference

Agency Authorization Process

The next step is the Agency Authorization Process. During this step, the agency conducts a security authorization package review, which may include a SAR debrief with the FedRAMP PMO. Depending on the results of the agency’s review, CSP remediation may be required. Additionally, the agency will implement, test, and document customer responsible controls during this phase. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:

  • The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with exception of the security assessment material, to FedRAMP’s secure repository.
  • The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.

The FedRAMP PMO performs a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized status and the date of authorization. In turn, the CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form [PDF - 278KB].

The FedRAMP PMO requests agencies to send their ATO letters for any FedRAMP-Authorized CSO to ato-letter@fedramp.gov.

Back to Graphic for Reference

Continuous Monitoring

The continuous monitoring phase consists of post authorization activities in support of maintaining a security authorization that meets the FedRAMP requirements.

Post Authorization

During the continuous monitoring phase, the CSP is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Further detail can be found in the Continuous Monitoring Strategy Guide [PDF - 1.1MB].

Each agency using the service reviews the monthly and annual continuous monitoring deliverables. CSPs use the FedRAMP secure repository for posting monthly continuous monitoring material for ease of access and sharing with agency representatives.

Back to Graphic for Reference

Resources

The resources below provide additional guidance on the Agency Authorization path. Additional technical guidance as well as FedRAMP templates are located on our Documents & Templates page under resources.

Agency Authorization Playbook

This document provides a compilation of best practices, tips, and step-by-step guidance for agencies seeking to implement ATOs.

Download [PDF - 1.3MB]

Agency Authorization - Roles and Responsibilities for FedRAMP, CSPs, and Agencies

This document provides a summary of the roles and responsibilities of the agency, CSP, and FedRAMP PMO during the Agency Authorization process.

Download [PDF - 933KB]

FedRAMP Authorization Boundary Guidance

This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP Authorization package.

Download [PDF - 293KB]

FedRAMP Guide for Multi-Agency Continuous Monitoring

This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.

Download [PDF - 413KB]

FedRAMP Tailored Website

Provides guidance and templates for FedRAMP Tailored, a simple, condensed approach to the Authorization process for Low-Impact Software-as-a-Service (LI-SaaS) applications.

Visit Website