The Importance of ATO Letter Submission
FedRAMP would like to remind federal agencies to authorize their Cloud Service Offerings (CSOs) and submit the associated Authority to Operate (ATO) letter to the FedRAMP PMO. Agency authorization of CSOs is required to maintain compliance with OMB Circular A-130 and submission of the corresponding ATO to FedRAMP helps support a critical component of FedRAMP’s security package reuse model.
Why is this Important?
CSOs that do not have more than one ATO letter on file are at a higher risk of losing their FedRAMP authorization designation. In accordance with FedRAMP Marketplace: Designations for Cloud Service Providers, if a CSO loses its only ATO letter on file with the FedRAMP PMO, the CSO will be removed from the Marketplace as FedRAMP Authorized. The best way to avoid this is to ensure all agency customers have issued an ATO for their use of the service offering and provide copies to the FedRAMP PMO.
While an increased number of ATO letters have been provided, to date, 77 of the 235 FedRAMP Authorized services still only have one ATO letter on file with the FedRAMP PMO.
How do Agencies submit their ATO?
Federal agencies should follow their agency-defined process for issuing an ATO and submit a copy of their signed ATO letter(s) to FedRAMP via email@example.com. Once an ATO letter is received, permanent access is granted to the security package materials in the FedRAMP Secure Repository to allow agencies to conduct regular reviews of their cloud offering’s continuous monitoring documentation.
If you have any questions regarding the ATO submission process, please reach out to us via firstname.lastname@example.org and we will be happy to provide assistance.