Obtaining a mandated Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operation (ATO) is increasingly important for Cloud Service Providers (CSPs) who wish to make Cloud Service Offerings (CSOs) available to federal government agencies. The FedRAMP Authorization Act codifies the security and compliance requirements for commercial CSPs as they increasingly shift away from on-prem deployment models in favor of cloud-based service delivery models. The journey to FedRAMP authorization begins by understanding and embracing the requirement to secure an agency sponsor. Securing an agency with the willingness to become a CSPs partner and help shepherd them through the authorization process can be a daunting task.
In FedRAMP, There are two paths to sponsorship – an Agency sponsorship to obtain a FedRAMP ATO and a Joint Authorization Board (JAB) sponsorship to obtain a Provisional Authorization (P-ATO). Given the JAB’s limited bandwidth, specific government-wide use, and business-case-centric qualification criteria, the majority of CSPs will benefit from securing an Agency sponsor.
Agency Sponsorship – Finding a Champion for your CSO
One of the most critical steps in a CSPs authorization journey is establishing the demand for their CSO and finding a government champion willing to sponsor the offering. . The first step toward securing an agency sponsor is to position the CSO to satisfy one or many agency-specific operational pain points or regulatory requirements that are remedied by the CSO. The government is continuously releasing requests for proposals (RFPs) seeking cloud solutions for a wide variety of business and operational capabilities. By familiarizing yourself with agencies whose missions could be supported by your CSO, you can begin to position your CSO to resonate with these agencies. If your solution hasn’t already found a federal champion, establishing demand for your CSO will likely require some research and investment in building a compelling case for sponsorship by doing the following:
- Alignment of CSO features with regulatory requirements – Clearly map out known government requirements that are satisfied by your solution, making its value clear to agency consumers.
- Alignment with agency-specific use cases – Invest in learning about specific agency operations and pain points and create a customized brief highlighting exactly how your CSO meets their business needs.
- Assurance of commitment to the FedRAMP effort – Understand the ATO process and proactively establish a committed and knowledgeable team, thereby reducing the weight of responsibility that will fall to the agency sponsor. Agencies with a desire for your CSO but limited experience with FedRAMP sponsorship will want to know that your organization is committed to leading the compliance effort and minimizing the effort required by the agency.
- Evidence of some degree of compliance “readiness” or maturity – Finally, a sponsorship is more likely when an agency has evidence and reassurance that a CSP has already invested in hardening their cybersecurity compliance posture. This can be reflected by a CSP having a relationship with a trusted FedRAMP advisor, a third-party assessment organization (3PAO), or even having already achieved a FedRAMP Ready status – which isn’t equivalent to an ATO but can be obtained without a sponsor by engaging a 3PAO. FedRAMP Ready indicates a general state of being prepared for the more critical elements of a full FedRAMP assessment. (As a note, some agencies may require a readiness assessment, but most do not.)
Sponsorship and Achieving In-Process Status
Once your organization has found a committed agency sponsor, you’ll move toward an official status of “FedRAMP In Process.” The “In Process” status indicates they are actively working toward an ATO with a committed sponsor. To become listed as “FedRAMP In-Process” in the FedRAMP Marketplace, there are several key steps to complete. The first and arguably most important step is to provide the FedRAMP Project Management Office (PMO) with an attestation letter from the agency point of contact known as an “In Process Request” letter.
Sponsor Attestation (In Process Request) Letter
To officially become “In Process” on the FedRAMP Marketplace,, the FedRAMP PMO must be in receipt of an e-mail from an agency authorizing official (AO) or a FedRAMP PMO-approved designee stating the agency is actively engaging with the CSP and plan on granting an ATO within 12 months. Once “In Process”, the CSP will be listed as such in the FedRAMP Marketplace. The attestation letter can be an email or email attachment that is sent from the agency point of contact/AO or CSP (with the AO included in the cc line) and submitted to firstname.lastname@example.org. The letter should follow FedRAMP’s “In Process Request” Template and which minimally contain the following information:
- Name of the Authorizing Official (AO)
- Name of the CSP and CSO to be authorized
- Type of CSO to be authorized ( Infrastructure/Platform/Software-as-a-Service (IaaS/PaaS/SaaS))
- Listing of agency and CSP points of contact
- The impact level at which the CSO will be authorized ((Low Impact SaaS (LI-SaaS), Low, Moderate, High)
- Verbiage confirming that the agency is committed to working with the CSP to grant an ATO in an acceptable timeframe (within a year)
- An ATO project schedule with key milestone dates, known as a Work Breakdown Structure (WBS)
Along with the attestation letter, the CSP and agency must complete and provide to the PMO a WBS that aligns with the program’s timeline requirements. It is important to note that an “In Process” status is only valid for 12 months, with the timer starting on the date of the attestation letter. The schedule must include (but is not limited to):
- The target date of a completed full assessment by a 3PAO – a testing should be scheduled to being within 6 months
- The target date of the completed ATO, which must occur:
- Within 12 months for Low, Moderate, or High ATOs
- Within 3 months for a FedRAMP Tailored (LI-SaaS) ATOs
Additional Requirements to be Satisfied
Finally, a CSO must meet at least 1 of the following 4 requirements as defined in the “In Process Request” form to achieve an “In Process” status:
- Interest in completing a formal kick-off meeting that includes the agency, CSP, FedRAMP PMO, and, if applicable, the 3PAO
- Acknowledgement of “FedRAMP Ready” status of CSO on the Marketplace
- Proof of a contract award for the use of the CSO (attached to the letter if applicable)
- Statement indicating that the service is already in use
FedRAMP has strict timeline requirements which must be understood and embraced by the agency sponsor and CSP alike. If an ATO package is not submitted within the designated 12-month timeframe (from the official date of the kickoff or “In Process” designation), the offering is removed from the FedRAMP Marketplace.
The FedRAMP PMO has published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process.
Other helpful resources and checklists for organizations pursuing FedRAMP accreditation are listed below.
- How much does a FedRAMP P-ATO Cost?
- How long does FedRAMP accreditation take?
- How to prepare for FedRAMP?
stackArmor helps commercial, public sector and government organizations rapidly comply with FedRAMP, FISMA/RMF, DFARS and CMMC compliance requirements by providing a dedicated authorization boundary, NIST compliant security services, package development with policies, procedures and plans as well as post-ATO continuous monitoring services.