FedRAMP PMO developed a security assessment framework that must be followed by commercial cloud service providers seeking an authority to operate (ATO)