June 23, 2023

Last Updated on January 8, 2024

Obtaining a Federal Risk and Authorization Management Program Authority to Operate, better known as a FedRAMP ATO, is key for cloud service providers (CSPs) that want to do significant business with the US federal government.

The FedRAMP program was formed in 2017 to consolidate and coordinate the authorization process for cloud services across the US federal government in alignment with the Federal Information Systems Management Act (FISMA). Formerly, agencies had been individually authorizing CSPs through their own programs, leading to significant rework and inconsistency while creating duplicative recertification effort for CSPs.

Now FedRAMP can authorize cloud services and agencies can leverage this authorization to meet their FISMA compliance requirements. And CSPs can provide services to multiple agencies with just one authorization. Further, CSPs that are in turn leveraging FedRAMP authorized cloud services to deliver their service can “inherit” the covered controls. For example, a CSP that runs its service on the Microsoft Azure public cloud can include Azure’s FedRAMP authorized physical security controls within its own authorization process.

What organizations are involved with FedRAMP?

Created jointly by the General Services Administration (GSA), Department of Defense (DoD), and Department of Homeland Security (DHS), FedRAMP is hosted by the Office of Management and Budget (OMB). The main governance and decision-making body for FedRAMP, called the Joint Authorization Board (JAB), includes members from the CIO offices of GSA, DoD, and DHS.

The choreographed interaction among FedRAMP stakeholders during the assessment process is akin to a dance.

Mike Craig, CEO at Vanaheim Security, says: “First you’re going to decide that going toward a FedRAMP authorization makes business sense for you. Then you’re going to find a sponsor [agency], and there’s a whole engagement process that comes with that. After you find the sponsor, you’re going to very quickly want to find a Third-Party Assessment Organization (3PAO).”

The central importance of your 3PAO

3PAOs assess CSPs against the FedRAMP requirements. If you’re working with a FedRAMP consultant that is also a 3PAO, you cannot use them in the latter capacity.

“Find that 3PAO because they’re going to be able to help answer some of the more ambiguous questions,” Mike adds. “And they can get together with your sponsoring agency, and you can have a three-way conversation to figure out some of these ambiguous controls and how the sponsor would prefer to handle it. Because they’re the ones who are ultimately going to sign off on your authorization package.”

By getting that clarity early in the process, you can streamline your assessment preparation and avoid missteps. Then when you’re ready for your assessment, the 3PAO performs that function on behalf of the agency sponsor, not your company. Their job is to collect a huge array of data to prove that you’re doing what you say you’re doing in your submission package.

What’s Next?

For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.