This month, the PMO features a column from Lunarline’s Jeffrey Widom. He presents some common topics Cloud Service Providers (CSPs) have faced when deciding to pursue a FedRAMP Authorization.
Is the FedRAMP JAB P-ATO considered the “highest level” of FedRAMP compliance?
Although sometimes found in advertisements and marketing material, a FedRAMP JAB P-ATO is not the “highest level” of authorization under FedRAMP. The FedRAMP Security Assessment Framework does not weight the different paths. FedRAMP JAB P-ATO, FedRAMP Agency ATO, and CSP-Supplied packages included in the FedRAMP repository must meet the standards established by the FedRAMP PMO for format and content. The primary difference between the designations is who performs the reviews and to what degree (including continuous monitoring and risk oversight).
Rather than focus on a FedRAMP designation, it is recommended that CSPs concentrate resources on developing a “FedRAMP Ready” package, implementing security controls, and mitigating risks in preparation for the assessment. The FedRAMP PMO provides SOPs and computer-based training to assists CSPs in meeting the standards.
What is a CSP’s recourse if a request for proposal (RFP) requires a JAB P-ATO and excludes offerors that have a FedRAMP Agency ATO or CSP-Supplied package?
As of today, government contracting officers are not consistent in their FedRAMP requirements. It would be helpful if the RFP simply stated, “The selected CSP must be FedRAMP compliant.” In reality, current contracts are using a variety of sometimes inexact expressions: everything from “provisional ATO,” to “agency provisional ATO,” to “interim ATO.” If there are questions, the CSP should contact the FedRAMP PMO for assistance.
Do you have a submission for the PMO Newsletter or Weekly Tips? Send it to info@FedRAMP.gov.