Site icon

What Is the FedRAMP Agency Authorization Process?

As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters directly into a working relationship with a federal agency, they will almost certainly work through the FedRAMP “Agency” process.

 

What Is FedRAMP Authorization?

FedRAMP authorization is a designation given to cloud providers who have completed the assessment criteria requirements necessary to work with federal agencies. Any CSP working with a federal agency, whether as a managed service provider, storage and archival solution, or business platform, must meet FedRAMP minimum requirements to be considered “authorized” to work.

The criteria for the designation of “FedRAMP Authorized” fall under a few unique criteria:

 

Requirements

FedRAMP Authorized providers must meet security control requirements defined under NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations.”

The scope of any particular provider’s responsibility will fall under one of three “Impact Levels” determined by the agency through an assessment of the kinds of data they will need to be supported. These impact levels include:

 

Assessment

Under FedRAMP Authorization requirements, self-assessment is completely disallowed. Instead, every provider seeking an authorization must undergo audits conducted by certified Third-Party Assessment Organizations (3PAO). These assessors are certified and monitored by the FedRAMP PMO, with listings placed on the FedRAMP Marketplace.

 

Continuous Monitoring

Initial authorization isn’t the last stop on a provider’s journey. Unlike other regulations or standards that call for annual (or longer) self-reporting or assessments, FedRAMP includes ongoing 3PAO assessments and a continuous monitoring program conceived of and implemented upon authorization. 

 

Working with Agencies vs. Working with JAB

Provider authorization isn’t a matter of proceeding through checklists. The type of work, as well as the needs of the agency, will dictate the level of authorization (these needs and the associated impact level will be included in the agency’s RFP). 

Thus, the path through authorization will depend on the working relationship (if there is one) between the government agency and the cloud provider:

The agency process prepares a provider to work with a specific agency. The JAB process is a broader authorization process that will still require refinement for agency-specific contracts.

 

What Are the Stages of the Agency Authorization Process?

The agency path to authorization begins with an agency and a provider deciding to work together. The agency will support and monitor the agency and its 3PAO as they progress. Ultimately, they will provide an Authority to Operate (ATO) stating that the provider meets the minimum requirements for FedRAMP and the agency’s needs.

The path toward ATO, as defined by the FedRAMP PMO, are:

 

Streamline Your FedRAMP Agency Authorization with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under StateRAMP and make it an easy and timely part of business in the public sector. It is always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version