An Agency’s Authorizing Official (AO) is responsible for making a risk-based decision to grant a CSP’s cloud service an Authority to Operate (ATO) for use of the system. That decision is formalized in an ATO letter provided to the CSP system owner and FedRAMP PMO. A complete ATO letter should explicitly state the AO’s acceptance of:
- Use of the system at the Agency at the determined FIPS 199 impact level
- All leveraged external services (to be listed in the ATO) supporting the system
- Any exceptions or exclusions of the CSO to be considered for use at the Agency
Once a CSO is deemed FedRAMP Authorized, the CSO is reflected as such on the FedRAMP Marketplace. Subsequent Agency customers can utilize FedRAMP’s reuse model to issue their own ATO for the use the CSO. That model allows Agencies to review the CSO’s security package, make a risk-based decision on the use of that system, and issue their own ATO. Agencies can rely on the PMO to support any discussions for the reuse of a FedRAMP authorized system.
All ATO letters should be provided to FedRAMP.