Sponsoring Initial FedRAMP Certification¶

Federal agencies can partner with a Cloud Service Provider (CSP) for an initial FedRAMP Certification if they would like to use a CSO that is not currently FedRAMP Certified. The rest of this playbook explains the initial FedRAMP Certification process, providing guidance and tips for success at each point along the way.

Common Questions About Sponsoring Authorization¶

The following questions and answers are sourced from FedRAMP's Legacy Help Center. If you have additional questions, please first reach out to your agency's FedRAMP Agency Liaison before reaching out to FedRAMP at info@fedramp.gov.

What does it mean to be an initial agency partner?¶

An Initial Agency Partner, also referred to as an initial authorizing agency or agency sponsor, refers to the first agency to grant an Authority to Operate (ATO) using FedRAMP standards and baselines for the Cloud Service Offering (CSO). The initial authorizing agency is not a government-wide risk acceptance. OMB Circular A-130 requires agencies to individually authorize operation of an information system and to explicitly accept the risk. Each agency that wishes to use the CSO will conduct its own risk review of the authorization package and grant its own ATO.

Is there an additional level of effort associated with being the initial authorizing agency?¶

It depends on the quality of the authorization package. Because the initial authorizing agency is the first agency to review the authorization package, the process for getting to an informed risk-based decision may take longer and require more effort if there are aspects of the authorization package that are unclear, incomplete, inaccurate, or inconsistent.

The FedRAMP Program Management Office (PMO) provides guidance to Cloud Service Providers (CSPs) and third party Assessment Organizations (3PAOs) on how to deliver a high quality authorization package, but if the agency team is unable to determine the actual security posture of the cloud service offering (CSO) due to poor quality, the agency will provide feedback. The feedback may result in modifications to the package deliverables and/or additional testing, and additional review cycles.

As the initial authorizing agency, are we responsible for performing Continuous Monitoring (ConMon) oversight on behalf of other leveraging agencies?¶

No. It is not the initial authorizing agency's responsibility to conduct ConMon oversight on behalf of all other agencies. OMB Circular A-130 requires federal agencies to implement the Risk Management Framework (RMF) described in NIST SP 800-37. The RMF process includes a Monitor step. The purpose of this step is to maintain ongoing situational awareness about the security posture of the system in support of risk management decisions.

Each agency that issues an authority to operate (ATO) or authority to use (ATU) for a cloud offering must review the cloud service provider's (CSP's) ConMon activities to ensure the security posture remains sufficient for its own use and supports an ongoing authorization. This includes reviewing the monthly Plan of Action and Milestones (POA&M), approving deviation requests and significant change requests, and reviewing the results of the annual assessment. With the release of the FedRAMP Rev 5 baselines, security control CA-7 requires CSPs with more than one customer agency to implement collaborative ConMon. This approach is intended to streamline the ConMon process and potentially minimize duplicative efforts in a way that helps each agency still perform their due diligence related to ConMon. FedRAMP developed a recommended Collaborative ConMon approach. Collaborative ConMon benefits agencies by allowing them to share responsibility for ConMon oversight, and it benefits the CSP by creating a central forum for addressing questions and achieving consensus related to deviation requests, significant change requests, and the annual assessment, versus having to coordinate with each agency separately.

What happens if my agency decides to stop using the Cloud Service Offering (CSO)?¶

Agencies should first notify the cloud service provider (CSP) that they plan to rescind their Authorization to Operate (ATO), as they no longer are using the service. After they have notified the CSP, the agency should send an email to info@fedramp.gov, CCing their CSP, which notifies FedRAMP that the service is no longer in use at the agency and indicates the agency will rescind the ATO letter by a specific date.

If a CSP loses its last agency customer, see the question below.

What happens if a Cloud Service Offering (CSO) loses its agency customers?¶

FedRAMP Certified cloud service offerings (CSOs) without an active agency authorization to operate (ATO) who continue to meet all ongoing continuous monitoring (ConMon) activities while working to obtain a new ATO from a federal agency may remain in the FedRAMP Marketplace as FedRAMP Certified.

Should my agency use FedRAMP to authorize a private cloud deployment?¶

FedRAMP does not apply to private cloud deployments. OMB M-24-15 defines the scope of FedRAMP as "cloud computing products and services (such as IaaS, Platform-as-a-Service (PaaS), and SaaS) that create, collect, process, store, or maintain Federal information on behalf of a Federal agency." The memorandum also describes categories of cloud computing products and services that are outside the scope of FedRAMP, including "Information systems that are only used for a single agency's operations, hosted on cloud infrastructure or platform, and are not offered as a shared service or do not operate with a shared responsibility model."