Best Practices for Achieving and Maintaining an “In-Process” Designation
Building upon earlier guidance, the PMO has identified a number of best practices that enable CSPs to achieve and maintain an “In Process” designation and achieve an Agency Authority to Operate (ATO). An “In Process” designation indicates that a CSP is actively working on the documentation required to achieve a FedRAMP Authorization, and that an agency is reviewing that documentation with the intent to provide an ATO that meets the FedRAMP requirements.
Below are best practices the PMO has found to be effective for obtaining and maintaining an “In Process” designation.
Convert Existing Federal Work into FedRAMP “In Process” - Converting existing Agency ATOs into FedRAMP-compliant ATOs lowers several barriers for achieving an “In Process” designation. It is often easier for CSPs to work with agencies that are already using their service since agencies must authorize them in accordance with FedRAMP requirements. Agencies likely already have a baseline understanding of the CSP’s security posture and a vested interest in the CSP becoming FedRAMP authorized.
Engage the FedRAMP PMO Early - Engaging the PMO early provides transparency and coordination at the start of the authorization process, enabling the PMO to provide key insights on how best to kick off the authorization process, and to assign the “In Process” designation. Additionally, the PMO can help navigate initial conversations with an agency regarding the roles and responsibilities associated with partnering with a CSP to achieve a FedRAMP authorization.
Engage the PMO Often - The FedRAMP PMO communicates with “In Process” CSPs on a scheduled quarterly basis, as well as on an ad-hoc basis where appropriate. The more proactive a CSP is in engaging the PMO, especially if there is an authorization roadblock, the more successful they are in moving from “In Process” to “FedRAMP Authorized”.
Have the Right Resources on the Project Team - Effective project management skills within a CSP project team are important for the ongoing maintenance of an “In Process” designation. Additionally, the PMO recommends maintaining consistent resources on both the CSP and agency side throughout the authorization process, since it requires an intimate understanding of the system.
Understand your Readiness for FedRAMP - CSPs should understand their CSO’s readiness for the FedRAMP authorization process. FedRAMP Ready provides a means of understanding a system’s preparedness. A FedRAMP Ready designation indicates that a Third Party Assessment Organization (3PAO) attests to the CSP’s readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP PMO. Having this knowledge prior to obtaining an “In Process” designation helps both the CSP and the agency understand a CSP’s ability to successfully obtain a FedRAMP Authorization.
We hope this helpful in preparing for an authorization process. For questions or more information on the FedRAMP “In-Process” designation, please e-mail firstname.lastname@example.org.