Finding an Initial Authorizing Agency
The Agency Authorization process is the most popular route for CSPs to take when working toward a FedRAMP Authorization. In fact, 65 percent of authorized CSPs have an Agency ATO. The Agency Authorization affords a CSP to work one-on-one with one Agency through the review process; the JAB Authorization requires a CSP to work with three Agencies: DoD, DHS, and GSA. The Agency Authorization project workflow/stage gates can also be customized based on the specific needs and available resources of the Agency and CSP.
The first step in achieving a FedRAMP Agency Authorization is for a CSP to establish a partnership with an Agency and agree to work together for an ATO. Below are some tips and myths to keep in mind when starting your Agency Authorization process.
TIP: Identify a Federal Agency that has a vested interest in your cloud service offering to work with for the FedRAMP Authorization.
Ideal Agency partners tend to be those who are already using your cloud offering or have procured your service for future use. Keep in mind, a FedRAMP Agency Authorization is required prior to an Agency transitioning their production data to your cloud environment.
- Please ensure any Agency using your product has issued an Authority to Operate (ATO) letter and has sent it to firstname.lastname@example.org documentation and incident response purposes.
If an Agency is currently using an “on- premise” version of your product and there is interest in moving to the cloud, then this could also be a viable candidate to be your partner Agency.
TIP: Agencies must understand and accept risk associated with their Agency’s use of any IT environment, this is per FISMA. If an Agency wants to use a Cloud Service Offering (IaaS, PaaS, SaaS), the framework, templates, and series of security requirements/controls are governed and mandated by FedRAMP. FedRAMP = FISMA Compliance for Cloud Products/Services.
WHAT WE HAVE HEARD : Agencies could be reluctant to perform the initial “sponsoring” authorization because of the following misconceptions:
MYTH:The level of effort an Agency must perform to issue an authorization is too great.
FACT:CSPs seeking a FedRAMP authorization perform the heavy lift to ensure the system is risk-acceptable and provide all the FedRAMP deliverables to the Agency partner for review, feedback, and risk acceptance. Agencies are in a “review mode” role.
MYTH: The initial Agency accepts the risk of the system/cloud service for the entire government.
FACT :The initial authorization with an Agency is NOT an authorization for the entire Federal Government. The Agency authorizing official can only authorize and accept risk for the use of the system by their Agency. Additional Agencies that wish to use the cloud offering must review the Cloud Service Offering’s FedRAMP Package, conduct their own risk analysis, and issue their own independent authorization (ATO) that covers their Agency’s use of the system. Please ensure the FedRAMP PMO has a copy of all ATO letters; e-mail them to email@example.com.
TIP : Contact the PMO if you need help with an Agency sponsor.
Ashley Mahan, the FedRAMP Agency Evangelist, regularly speaks with Agencies and CSPs in the process of finalizing sponsorship to address any questions or concerns your partner Agency has about their authorization roles and responsibilities.
If you’d like to connect Ashley with an Agency partner, please reach out to firstname.lastname@example.org
We are actively working on closing the FedRAMP awareness gap with all our stakeholders through our constant engagement with Agencies and CSPs. Help us spread the word by connecting us with your current and potential customers.