Congratulations on this significant milestone on finding a FedRAMP ATO Sponsor. To help accelerate the process of obtaining the FedRAMP Authorization to Operate (ATO) it is important to be well prepared. By ensuring that all relevant information is provided, you can avoid costly delays due to need for clarifications. Your agency sponsor and FedRAMP PMO will also appreciate a well-prepared presentation that provides them the information they need for their due diligence. Typically, the FedRAMP authorization process begins with a Kickoff Meeting. Typically, the Kickoff Meeting will include stakeholders from the Sponsoring Agency, Your Organization (the Cloud Service Provider), 3PAO, and FedRAMP PMO.
At the conclusion of the Kickoff Meeting, all stakeholders should have a shared understanding of the overall authorization process, milestones, deliverables, roles and responsibilities, and schedule.  The Cloud Service Provider should clearly spell out the Cloud Service Offerings (CSO) purpose and function, authorization boundary, data flows, known security gaps and plans for remediation.
The Kickoff Meeting is best supported through a slide briefing that provides an overview of the solution and includes the following content:
  • Overview of the Cloud Service Offering
  • Authorization Boundary Diagram and Description
  • Services used and their FedRAMP Authorization Status
  • Data Flows along with Descriptions
  • Security Controls: Gaps and Customer Responsibilities
  • Work Breakdown Structure and Milestones

Each of these topics are covered in greater detail.

Cloud Service Offering Overview

This is an introductory section to allow the Agency and other stakeholders to gather essential information about your organization and the solution you offer. Typical information needed in this section includes:

CSP/Organization Name
Cloud Service Offering Name (as it will appear on the FedRAMP Marketplace)
Service Offering Description that covers:
– What are the core capabilities and functions provided by the service?
– How does an Agency use and experience your offering?
– Describe the federal data that will be stored / processed / transmitted by the service offering.
FIPS 199 System Categorization: Low / Moderate / High
Service Model: SaaS / PaaS / IaaS
Deployment Model: Public / Community / Hybrid
Cloud Stack / Leveraged Systems/External Connections

Authorization Boundary and Data Flows

The Authorization Boundary Diagram and Data Flow descriptions are a very important part of the Kickoff Meeting due diligence process for a FedRAMP authorization. It is essential to provide the agency with a clear picture of the system architecture and components that make up the authorization boundary for the cloud service offering. There are a number of helpful job aids to prepare an Authorization Boundary Diagram. The Authorization Boundary discussion is fairly detailed and will likely consume of the bulk of the discussion.

Services with FedRAMP Authorization Status

Every Cloud Service Offering that is being authorized at a particular FedRAMP Impact Level, must ensure that any leveraged or inherited services are accredited at the same or higher level as the Cloud Service Offering. Any services that are not FedRAMP authorized need to be flagged and discussed to explain why it is justified to be part of the solution boundary. A key element of this discussion allows the Agency to assess risk and understand any supply chain vulnerabilities from data traversing the boundary.

Security Control Gaps and Customer Responsibility

In this section the agency is looking for a detailed understanding of the critical security control implementations, any gaps and remediation timelines. Additionally, the agency must know what specific responsibilities they have for securely operating or consuming the provided commercial cloud service. Specific content includes the list of controls that the Agency will be fully or partially responsible for implementing in the boundary. Controls that cannot be fully inherited by the customer must be
documented in the Customer Responsibility Matrix (CRM).

Work Breakdown Structure and Milestones

There are a number of critical milestones and activities that must be completed as part of the FedRAMP authorization process. The WBS/Project Plan provides the Agency and the FedRAMP PMO with an understanding of the project timelines and allows them to assess and allocate resources to support the project. Some of the key activities that must be included are conclusion of the prepare phase that includes the System Security Plan (SSP) and all attachments and the subsequent 3PAO assessment deliverables that include the Security Assessment Plan (SAP) delivery.

The FedRAMP authorization process is fairly intense but by being well-prepared you can avoid rework and a lot of costly back & forth. For organizations planning to pursue FedRAMP certifications, here are some helpful resources for further analysis and planning.

FedRAMP Authorization Act: Implications for Cloud Service Providers

Preparing for FedRAMP – Whitepaper

Achieving DOD IL-4 ATO Lessons Learned

How much does it cost to prepare for FedRAMP

Agency Briefing Guidance for Kickoff

We hope you find these resources helpful. Please contact us to schedule a free consultation and planning discussion.