Skip to main content

Agency Authorization

Pursuing a FedRAMP® Agency Authorization

There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.

The Authorization Process


The preparation phase consists of two steps: Readiness Assessment and Pre-Authorization.

Readiness Assessment

In the Readiness Assessment step, a CSP may elect to pursue the FedRAMP Ready designation, which is optional for the Agency Authorization process, but highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements. More information regarding steps to achieve FedRAMP Ready can be found on the About FedRAMP Marketplace page.

Back to Graphic for Reference


During the Pre-Authorization step, a CSP formalizes its partnership with an agency via the requirements outlined in FedRAMP Marketplace: Designations for Cloud Service Providers. A CSP also prepares to undergo the authorization process. They make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.

By this stage, a CSP should:

  • Have a system that is fully built and functional
  • Have a leadership team that is committed and fully on board with the FedRAMP process
  • Engage with FedRAMP through the intake process by completing a CSP Information Form
  • Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Section 15 of the System Security Plan (SSP) template, located on the Documents & Templates page) along with the guidance of FIPS 199 Pub 199 [PDF - 78KB] and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on its systems

The final step in Pre-Authorization is to prepare for and conduct a Kickoff Meeting. During the Kickoff Meeting, a CSP and agency will discuss:

  • The background and functionality of the cloud service
  • The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
  • Customer responsible controls that must be implemented and tested by the Agency
  • Compliance gaps and remediation plans
  • A work breakdown structure, milestones, and next steps

Back to Graphic for Reference


The authorization phase consists of two steps: Full Security Assessment and Agency Authorization Process.

Full Security Assessment

During the Full Security Assessment step, the 3PAO performs an independent audit of the system. Prior to this step, a CSP should ensure that the SSP is complete and has been reviewed and approved by the agency customer. Additionally, the Security Assessment Plan (SAP) should be developed by a CSP’s 3PAO with their authorizing agency’s input.

During this step, the 3PAO tests the CSP’s system. At the conclusion of testing, the 3PAO develops a Security Assessment Report (SAR) which details their findings from testing and includes a recommendation for FedRAMP Authorization.

The CSP will then develop a Plan of Action and Milestones (POA&M) based on the SAR findings, and include input from the 3PAO, which outlines a plan for addressing the findings from testing.

Back to Graphic for Reference

Agency Authorization Process

The next step is the Agency Authorization Process. During this step, the agency conducts a security authorization package review, which may include a SAR debrief. Depending on the results of the agency’s review, CSP remediation may be required. During this phase, the agency may implement, document, and test customer responsible controls. Alternatively, the agency may choose to perform these steps after issuing the ATO. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:

  • The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with exception of the security assessment material, to FedRAMP’s secure repository.
  • The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.

The FedRAMP PMO performs a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized status and the date of authorization. In turn, the CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form [PDF - 278KB].

The FedRAMP PMO requests agencies to send their ATO letters for any FedRAMP-Authorized CSO to

Back to Graphic for Reference

Continuous Monitoring

The continuous monitoring phase consists of post authorization activities in support of maintaining a security authorization that meets the FedRAMP requirements.

Post Authorization

During the continuous monitoring phase, the CSP is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Further detail can be found in the Continuous Monitoring Strategy Guide [PDF - 1.1MB].

Each agency using the service reviews the monthly and annual continuous monitoring deliverables. CSPs use the FedRAMP secure repository for posting monthly continuous monitoring material for ease of access and sharing with agency representatives.

Back to Graphic for Reference


The resources below provide additional guidance on the Agency Authorization path. Additional technical guidance as well as FedRAMP templates are located on our Documents & Templates page under resources.

Agency Authorization Playbook

This document provides a compilation of best practices, tips, and step-by-step guidance for agencies seeking to implement ATOs.

Download [PDF - 1.3MB]

FedRAMP Authorization Boundary Guidance

This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP Authorization package.

Download [PDF - 293KB]

FedRAMP Colllaborative ConMon Quick Guide

This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.

Download [PDF - 413KB]

FedRAMP Baselines

This web page helps stakeholders understand the FedRAMP Baselines and Impact Levels for FedRAMP Authorizations

Visit Website