stackArmor - A Tyto Athene Company Logo
Schedule ATO Acceleration Briefing

Blog

Securing an Agency Sponsor for FedRAMP Agency-Sponsored ATO

Obtaining a mandated Federal Risk and Authorization Management Program (FedRAMP)  Authorization to Operation (ATO) is increasingly important for Cloud Service Providers (CSPs) who wish to make Cloud Service Offerings (CSOs) available to federal government agencies. The FedRAMP Authorization Act codifies the security and compliance requirements for commercial CSPs as they increasingly shift away from on-prem deployment models in favor of cloud-based service delivery models. The journey to FedRAMP authorization begins by understanding and embracing the requirement to secure an agency sponsor. Securing an agency with the willingness to become a CSPs partner and help shepherd them through the authorization process can be a daunting task. In FedRAMP, There are two paths to sponsorship – an Agency sponsorship to obtain a FedRAMP ATO and a Joint Authorization Board (JAB) sponsorship to obtain a Provisional Authorization (P-ATO). Given the JAB’s limited bandwidth, specific government-wide use, and business-case-centric qualification criteria, the majority of

Read More »

Navigating a JAB Provisional ATO (P-ATO)

Achieving a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data. If you have software (or infrastructure or a platform) that is offered as-a-service and government agencies are your target customers, your cloud offering will be required to obtain and maintain a FedRAMP P-ATO. An ATO is evidence that your cloud offering has met and continues to operate in alignment with the high standards set forth in the FedRAMP cybersecurity controls baselines. JAB – FedRAMP’s Joint Authorization Board The FedRAMP program is governed by the Joint Authorization Board – otherwise known as the JAB. The JAB includes the Chief Information Officers (CIOs) from the Department of Defense (DoD), General Services Administration (GSA), and the Department of Homeland Security (DHS). Each of the three agencies has a team of technical reviewers (TRs) committed to the program’s objectives. The JAB is supported by

Read More »

Streamlining Federal Cybersecurity Requirements [Federal News Network]

With updates such as the latest revision to the National Institute of Standards and Technology Special Publication 800-53, navigating CMMC, FedRAMP, SP-800-171, and FISMA is more important than ever. Martin Rieger, the Chief Solutions Officer at stackArmor, joined Federal News Network to discuss the mistakes companies often make in tackling this process, what introduced changes mean for authorizations, why budgeting and planning for continuous monitoring will be critical, and more. Watch stackArmor’s Martin Rieger interview with Federal News Network here.  https://youtu.be/_K9hml0pSus

Read More »

Keeping Up with FedRAMP: Baseline Updates, Inaugural Members of the FSCAC, and More

In the words of Winston Churchill, “To improve is to change; to be perfect is to change often.” While it’s likely that collectively as business owners, policy drivers, and industry experts, we will never absolutely perfect the task of shielding government organizations and federal agencies from experiencing some sort of cyber vulnerability, we can certainly keep evolving the approach to protect them the best we can. And if introducing updates often is the path, then FedRAMP is on track. Coming off of significant milestones such as hitting its 300th ATO and witnessing a 50% increase in the number of CSOs authorized at the High impact level, the program is already announcing other updates and launching new initiatives. So, let’s catch up with what is going on in the world of FedRAMP. The FedRAMP Joint Authorization Board Approves Rev. 5 Baselines We begin with the approval of the FedRAMP Rev. 5

Read More »

It’s Official – FedRAMP has moved to Rev. 5

  As of May 30, 2023, FedRAMP has officially approved and adopted the new Rev. 5 baselines – aligning with the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) Rev. 5 baselines that went into effect in September of 2021. Cloud Service Providers (CSPs) with existing authorizations, those who are mid-process, and those looking to achieve a FedRAMP authorization for the first time will all be required to align with Rev. 5 baselines. What Changes Can CSPs Expect? The new baselines include both new controls and required changes to a number of existing management, operational and technical controls across multiple control families. While FedRAMP has provided a complete workbook outlining the exact changes for each control in the new baselines, general changes include: Control language that is more directive and outcomes-centric throughout; A new Supply Chain Risk Management (SR) control family (taking the total number of families

Read More »

The Sky’s the Limit: The Growth of FedRAMP Compliant Cloud Service Offerings

As you’ll recall from our last post, FedRAMP just soared to a major milestone – 300 FedRAMP Authorized Cloud Service Offerings (CSOs). Beyond marking a noteworthy tally, this is a monumental achievement because it means that federal agencies now have reused these cloud services over 4,500 times! In the days and months to come, agencies will have access to even more CSOs than ever before, which comes with a few trickle down effects. The Benefits of More CSOs For one, more CSOs translates to more options for federal agencies. In turn, the team at FedRAMP points out that this makes the market more competitive and paves the way for lower pricing (a challenge that we also highlighted in our previous post). Plus, this record figure catapults FedRAMP further into its trajectory of growth. Growth has been a key trend for FedRAMP, especially over the past two years. Within that time

Read More »

What is FedRAMP Compliance? Understand the FedRAMP Certification and Compliance Process

What is FedRAMP P-ATO? FedRAMP Compliance and Certification Steps Explained The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that promotes the adoption of secure commercial cloud services across the federal government. The FedRAMP program streamlines the acquisition of cloud services by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. FedRAMP compliance is a requirement for commercial cloud service providers (CSP) looking to provide s a security and compliance accreditation requirement for commercial cloud service providers looking to sell their solutions to US Government agencies. FedRAMP certifications are managed by GSA which is a US Government agency takes with operating the program. Federal agencies select and procure commercial cloud services based on their security requirements that are based on specific

Read More »

Lowering FedRAMP, CMMC 2.0 and StateRAMP Compliance Costs with ThreatAlert® Zero trust Security Platform

Lowering FedRAMP, CMMC 2.0 and StateRAMP Compliance Costs is critical for Organizations operating in highly regulated markets with public sector and government clients. Meeting complex NIST 800-53 security control requirements and generating a FedRAMP, StateRAMP, or CMMC 2.0 compliance package are critical requirements. FedRAMP compliance costs can be prohibitive due to the need for R&D, developing a package and implementing FIPS and DISA STIG controls that requires skilled cybersecurity, compliance and cloud experts that understand complex security requirements and government regulations. stackArmor’s compliance accelerator helps reduce the time and cost of FedRAMP, CMMC 2.0, StateRAMP and other Government mandated security requirements by providing a dedicated accreditation boundary with compliant security controls that meet NIST SP 800-53 and NIST SP 800-171 requirements. stackArmor pre-integrated solution delivers an end-to-end technology enabled solution that has been vetted and audited by government agencies, assessors and independent third-parties. Lowering FedRAMP Compliance Costs with ATO Acceleration

Read More »

Implementing Data Diode Pattern on AWS for Data Loss Prevention (DLP) and Zero Trust Access Control

Author: Matt Venne, Solutions Director, stackArmor, Inc. One of the biggest challenges that cloud architects and security professionals have is protecting “sensitive” data.  This challenge is multiplied when that sensitive data must move between different systems for analysis and consumption.  Data security is difficult in such a dynamic scenario, which requires special tooling and techniques to prevent the data from leaving its designated areas. Typically, these tools and techniques fall in the category of Data Loss Prevention or DLP for short.  The marketplace has no shortage of DLP solutions; they can be network-based, examining data in flight at central egress points – e.g., firewalls; or agent-based, installed on a device, such as a workstation, to examine data at rest to programmatically identity which data is sensitive.  Often, they are used in conjunction, agents identify sensitive data and network firewalls block the data identified by the agents from leaving. Data Loss

Read More »

DoD Cloud Authorization To Operate (ATO) and Impact Levels (IL2, IL4, IL5, IL6) Explained

Updated 5/24/2025 with transition of the DOD Cloud Computing Security Requirements Guide (SRG) from NIST SP 800-53 Rev 4 to Rev 5. US Government and Department of Defense agencies are continuing to modernize and transform operations using modern commercial cloud computing services. A recent report on the Federal Cloud Computing Market predicts that demand for commercial cloud computing goods and services will grow to nearly $19 Billion by 2024. A significant growth market in the next 5 years is going to be the US Department of Defense propelled by the recent award of the $9 Billion Joint Warfighting Cloud Capability (JWCC) contracts to Amazon Web Services (AWS), Google Cloud, Microsoft Corporation, and Oracle. JWCC is a multiple-award contract vehicle that will provide the DoD the opportunity to acquire commercial cloud capabilities and services. Commercial Cloud Service Providers (CSP) looking to offer services to Department of Defense (DoD) components must become

Read More »

Preparing for FedRAMP Certification and Authorization

FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. Commercial cloud service providers wanting to sell their services to US Federal Agencies, their contractors or suppliers that are part of the defense industrial base (through reciprocity) must obtain FedRAMP accreditation. The experts at stackArmor have developed a comprehensive guide for helping organizations prepare for their FedRAMP accreditation and assessment journey. This FedRAMP (Federal Risk and Authorization Management Program) Whitepaper provides an actionable resource for busy executives and project managers to understand and plan for a FedRAMP Authority To Operate (ATO). The Table of Contents of the Whitepaper include: Preparing for FedRAMP ………………………………………………………………………………………….. A Brief History ………………………………………………………………………………………………………… Finding a Sponsor: Two Paths to ATO………………………………………………………………………… Understanding FedRAMP Control Baselines (Based on NIST) ……………………………………… Getting Listed in the Marketplace

Read More »

Accelerate FedRAMP Compliance with Amazon Web Services (AWS)

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that streamlines the assessment, authorization and continuous-monitoring (ConMon) requirements for cloud-based IT services. It is how the federal government ensures that its cloud IT services do not put sensitive data or systems at unnecessary risk. Bottom line, Cloud Service Providers (CSPs) wanting to serve US government agencies must first obtain a FedRAMP Authorization to Operate (ATO). Designed to apply the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) approach to cloud solutions, the FedRAMP program embraces the concept that CSPs can build and verify their compliant Cloud Service Offerings (CSOs) once and use that verification to deliver it multiple times to multiple agencies. FedRAMP ATO Acceleration with AWS Amazon Web Services (AWS) offers IaaS and PaaS services that have been accredited at the FedRAMP High and Moderate levels. AWS offers two regions – East/West (Commercial) and

Read More »

What is FedRAMP POAM? FedRAMP Compliance and Certification Explained

The Federal Risk and Authorization Management Program was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of commercial cloud services by the federal government and contractors supporting agencies. FedRAMP promotes the adoption of secure cloud services by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP mandates the use of numerous templates and documents in support of the compliance requirements required for certification. During the Continuous Monitoring phase of the FedRAMP authorization, a CSP must maintain and provide a FedRAMP POA&M artifact that follows the prescribed template. POA&M (aka POAM) stands for “Plan of Action and Milestones.” It is a document used to track and report on the progress of security controls implementation and compliance efforts for cloud systems and services. POAM management is required for any cloud service that is seeking FedRAMP certification. The POAM outlines

Read More »

What is the FedRAMP Marketplace? Certified and Compliant Cloud Services

The FedRAMP Marketplace provides a searchable and sortable database of Cloud Service Providers (CSP) that have FedRAMP compliant services as well as a list of federal agencies using FedRAMP Authorized CSOs, and FedRAMP recognized auditors (3PAOs) that can perform a FedRAMP assessment. The FedRAMP Marketplace is maintained by the FedRAMP Program Management Office (PMO). The marketplace includes a searchable catalog of authorized products and services, that streamlines the process of finding and using cloud services in the federal government. The website is used extensively by Agencies and CSPs as a resource to: Research cloud services that have achieved a FedRAMP Marketplace designation Research agencies partnering with CSPs for a FedRAMP Authorization Identify agencies that are using FedRAMP Authorized CSOs, and Review FedRAMP’s community of recognized 3PAOs The FedRAMP Marketplace lists Cloud Service Offerings (CSO) along with their designations (or compliance status) which are either FedRAMP Ready, In-Process or Authorized. The

Read More »

What is StateRAMP? Certification and Compliance Explained

StateRAMP is an organization that has developed a cloud cybersecurity and compliance program that provides a state-level equivalent to the Federal Risk and Authorization Management Program (FedRAMP). It is a state-level certification program that allows cloud service providers to be assessed and authorized to operate in a state’s cloud environment. It is designed to be similar to FedRAMP, but tailored to the specific needs of individual states. StateRAMP allows cloud service providers to meet the security requirements of multiple states by obtaining a single certification, rather than having to go through a separate certification process for each state. The goal of StateRAMP is to make it easier for cloud service providers to do business with state governments and to increase the use of cloud services by state agencies. Unlike FedRAMP, which is managed and administered by a US Federal Agency, StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service

Read More »

What is FedRAMP Certification? Cloud Compliance and Authorization

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that streamlines the assessment, authorization and continuous-monitoring (ConMon) requirements for cloud-based IT services. It is how the federal government ensures that its cloud IT services do not put sensitive data or systems at unnecessary risk. Bottom line, Cloud Service Providers (CSPs) wanting to serve US government agencies must first obtain a FedRAMP Authorization to Operate (ATO). The process of obtaining an ATO is commonly referred to as FedRAMP certification or FedRAMP compliance. Designed to apply the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) approach to cloud solutions, the FedRAMP program embraces the concept that CSPs can build and verify their compliant Cloud Service Offerings (CSOs) once and use that verification to deliver it multiple times to multiple agencies. The FedRAMP program was introduced in 2011 as a natural step in the government’s IT modernization efforts

Read More »

FedRAMP Marketplace Outlook for 2023

Happy new year! US Federal Agencies are expected to spend nearly $19B on cloud services by 2024. In order to participate in the Federal and DOD marketplace, a key requirement for commercial cloud solution providers is the ability to obtain and maintain FedRAMP certification. The FedRAMP program is expected to continue to grow given the recent passage of the FedRAMP Authorization Act as part of the NDAA. For organizations planning to pursue FedRAMP certification in 2023, here are some helpful resources for further analysis and planning. FedRAMP Authorization Act: Implications for Cloud Service Providers Preparing for FedRAMP – Whitepaper Achieving DOD IL-4 ATO Lessons Learned How much does it cost to prepare for FedRAMP We hope you find these resources helpful. Please contact us to schedule a free consultation and planning discussion.

Read More »

FedRAMP Authorization Act: Implications for Cloud Service Providers and Agencies

This is the first of a series of blogs on the evolving landscape of secure commercial cloud computing enabled by the FedRAMP program. The President signed into law H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023”, which includes the FedRAMP Authorization Act. The FedRAMP Authorization Act codifies the Federal Risk and Authorization Management (FedRAMP) Program, which is a Government-wide initiative that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies. The FedRAMP program is governed by the FedRAMP Program Management Office (PMO) within the General Services Administration (GSA). The FedRAMP Program was established in 2012 through an Office of Management and Budget (OMB) memorandum. The passage of the FedRAMP Authorization Act codifies this program into a law enacted by Congress with formal congressional scrutiny and oversight. This blog provides an

Read More »