www.fedramp.gov
Open in
urlscan Pro
2600:9000:2127:1600:11:bef5:3640:93a1
Public Scan
URL:
https://www.fedramp.gov/agency-authorization/
Submission: On October 26 via api from US — Scanned from DE
Submission: On October 26 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
/search-results/
<form class="usa-search" id="searchgovform" action="/search-results/"> <label class="usa-sr-only" for="searchgovinput">Search</label> <input name="search" type="search" id="searchgovinput" placeholder="Search"> <button type="submit"
id="searchgovbutton" title="Submit Search" value="Submit Search"> <span class="usa-search-submit-text"><img class="search-button-icon" src="/assets/img/search-magnifying-glass.svg" alt=""></span> </button> </form>POST https://public.govdelivery.com/accounts/USGSA/subscriber/topics?qsp=USGSA_2224
<form id="contact" action="https://public.govdelivery.com/accounts/USGSA/subscriber/topics?qsp=USGSA_2224" method="POST">
<h4>Keep Up To Date</h4>
<p>To receive news and updates, join the GSA’s <span class="no-wrap;">subscriber list.</span></p>
<div class="newsletter-inner"> <a class="footer-submit" href="https://public.govdelivery.com/accounts/USGSA/subscriber/new" target="_blank">Subscribe</a> </div>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to
the .gov website. Share sensitive information only on official, secure websites.
1666656000
1663804800
1663113600
1661990400
1661990400
1660780800
1660089600
1658793600
1658188800
1656979200
1656547200
1656374400
1656374400
1655942400
1655769600
1654041600
1652918400
1651017600
1647388800
1646956800
1646697600
1646179200
1644883200
1644883200
1643328000
1643241600
1642550400
1642464000
1642464000
1641254400
1641254400
1641254400
1640044800
1638921600
1638835200
1638403200
1637625600
1636416000
1635811200
1635379200
1635379200
1634688000
1634688000
1632268800
1630454400
1629763200
1628726400
1628553600
1626739200
1626220800
1626134400
1625011200
1623110400
1621468800
1621296000
1621296000
1621296000
1621296000
1621296000
1621296000
1621296000
1621296000
1620691200
1620259200
1619481600
1618444800
1618444800
1617753600
1617062400
1616716800
1616544000
1615852800
1615852800
1613433600
1612915200
1611705600
1607644800
1607644800
1607299200
1606780800
1606176000
1602201600
1600300800
1598918400
1597881600
1597363200
1596672000
1596672000
1596672000
1596585600
1596153600
1595462400
1595462400
1592956800
1591747200
1588809600
1585180800
1585180800
1582675200
1582243200
1576540800
1576108800
1571097600
1568073600
1567555200
1566864000
1563926400
1560988800
1560988800
1559174400
1557273600
1556668800
1551916800
1541462400
1535414400
1535414400
1535414400
1535414400
1535414400
1531440000
1528848000
1524700800
1522800000
1522281600
1521504000
1521504000
1521504000
1519344000
1519171200
1517356800
1516838400
1512691200
1511481600
1510790400
1510617600
1506556800
1506556800
1506556800
1506556800
1497571200
1496707200
1496707200
1496707200
1496707200
1496707200
1496707200
1495065600
1495065600
1489104000
1489104000
1489104000
1489017600
1323302400
1
* No New Posts
Search
* About Us
* Program Basics
* Meet the Team
* Governance
* Partners
* Cloud Service Providers
* Federal Agencies
* Assessors
* Get Authorized
* Agency Authorization
* JAB Authorization
* Resources
* Documents & Templates
* Training
* FAQs
* Baselines
* Blog
* Marketplace
AGENCY AUTHORIZATION
PURSUING A FEDRAMP® AGENCY AUTHORIZATION
There are two approaches to obtaining a FedRAMP Authorization, a provisional
authorization through the Joint Authorization Board (JAB) or an authorization
through an agency. In the Agency Authorization path, agencies may work directly
with a Cloud Service Provider (CSP) for authorization at any time. CSPs that
make a business decision to work directly with an agency to pursue an Authority
to Operate (ATO) will work with the agency throughout the FedRAMP Authorization
process.
THE AUTHORIZATION PROCESS
If the agency path is the selected authorization process, the first major phase
is preparation. There are two steps in the preparation phase: pre-authorization,
which is required, and readiness assessment, which is optional but highly
recommended. For pre-authorization a CSP must begin with a partnership
establishment then undergo authorization planning to participate in a Kickoff
Meeting. From here, the CSP has the option of working through the optional
readiness assessment step, which begins with RAR development. Followed by this
is the FedRAMP PMO review of RAR. A remediation will then occur, but only if
necessary, followed by the issuing of the FedRAMP Ready Designation.
The next major phase of the process is authorization. The first step in this
phase is the full security assessment, which includes the security authorization
package involving numerous deliverables such as the SSP, SAP, SAR, and POA&M.
The next step in the authorization phase is the agency authorization process
beginning with an agency review of the security authorization package. This is
followed by an SAR debrief before a remediation and an agency final review
occurs. Next, an agency ATO takes place followed finally by a FedRAMP PMO review
and a remediation, if needed.
It is at this point a CSP can become FedRAMP authorized in the agency
authorization process. Post authorization, there are monthly continuous
monitoring deliverables as well as an annual assessment. These are ways FedRAMP
ensures continuous monitoring is present throughout the entire process.
PREPARATION
The preparation phase consists of two steps: Readiness Assessment and
Pre-Authorization.
READINESS ASSESSMENT
In the Readiness Assessment step, a CSP may elect to pursue the FedRAMP Ready
designation, which is optional for the Agency Authorization process, but highly
recommended. To achieve the FedRAMP Ready designation, a CSP must work with an
accredited Third Party Assessment Organization (3PAO) to complete a Readiness
Assessment of its service offering. The Readiness Assessment Report (RAR)
documents the CSP's capability to meet federal security requirements. More
information regarding steps to achieve FedRAMP Ready can be found in the FedRAMP
Marketplace Designations for Cloud Service Providers document [PDF - 652KB].
Back to Graphic for Reference
PRE-AUTHORIZATION
During the Pre-Authorization step, a CSP formalizes its partnership with an
agency via the requirements outlined in FedRAMP Marketplace: Designations for
Cloud Service Providers. A CSP also prepares to undergo the authorization
process. They make any necessary technical and procedural adjustments to address
federal security requirements and prepare the security deliverables required for
authorization.
By this stage, a CSP should:
* Have a system that is fully built and functional
* Have a leadership team that is committed and fully on board with the FedRAMP
process
* Engage with FedRAMP through the intake process by completing a CSP
Information Form
* Determine the security categorization of the data that will be placed within
the system using the FedRAMP Federal Information Processing Standards (FIPS)
199 Categorization Template (located in Section 15 of the System Security
Plan (SSP) template, located on the Documents & Templates page) along with
the guidance of FIPS 199 Pub 199 [PDF - 78KB] and NIST Special Publication
800-60 Volume 2 Revision 1 to correctly categorize their system based on the
types of information processed, stored, and transmitted on its systems
The final step in Pre-Authorization is to prepare for and conduct a Kickoff
Meeting. During the Kickoff Meeting, a CSP and agency will discuss:
* The background and functionality of the cloud service
* The technical security of the cloud service, including the system
architecture, the authorization boundary, data flows, and core security
capabilities
* Customer responsible controls that must be implemented and tested by the
Agency
* Compliance gaps and remediation plans
* A work breakdown structure, milestones, and next steps
Back to Graphic for Reference
AUTHORIZATION
The authorization phase consists of two steps: Full Security Assessment and
Agency Authorization Process.
FULL SECURITY ASSESSMENT
During the Full Security Assessment step, the 3PAO performs an independent audit
of the system. Prior to this step, a CSP should ensure that the SSP is complete
and has been reviewed and approved by the agency customer. Additionally, the
Security Assessment Plan (SAP) should be developed by a CSP’s 3PAO with their
authorizing agency’s input.
During this step, the 3PAO tests the CSP’s system. At the conclusion of testing,
the 3PAO develops a Security Assessment Report (SAR) which details their
findings from testing and includes a recommendation for FedRAMP Authorization.
The CSP will then develop a Plan of Action and Milestones (POA&M) based on the
SAR findings, and include input from the 3PAO, which outlines a plan for
addressing the findings from testing.
Back to Graphic for Reference
AGENCY AUTHORIZATION PROCESS
The next step is the Agency Authorization Process. During this step, the agency
conducts a security authorization package review, which may include a SAR
debrief with the FedRAMP PMO. Depending on the results of the agency’s review,
CSP remediation may be required. Additionally, the agency will implement, test,
and document customer responsible controls during this phase. Finally, the
agency performs a risk analysis, accepts risk, and issues an ATO. This decision
is based on the agency’s risk tolerance. Once an agency provides an ATO letter
for the use of the CSO, the following actions take place to close out this step:
* The CSP uploads the Authorization Package Checklist and the complete security
package (SSP and attachments, POA&M, and Agency ATO letter), with exception
of the security assessment material, to FedRAMP’s secure repository.
* The 3PAO uploads all security assessment material (SAP, SAR, and attachments)
associated with the CSO security package to FedRAMP’s secure repository.
The FedRAMP PMO performs a review of the security assessment materials for
inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the
service offering will be updated to reflect FedRAMP Authorized status and the
date of authorization. In turn, the CSO security package will be made available
to agency information security personnel, to issue subsequent ATOs, by
completing the FedRAMP Package Access Request Form [PDF - 278KB].
The FedRAMP PMO requests agencies to send their ATO letters for any
FedRAMP-Authorized CSO to info@fedramp.gov.
Back to Graphic for Reference
CONTINUOUS MONITORING
The continuous monitoring phase consists of post authorization activities in
support of maintaining a security authorization that meets the FedRAMP
requirements.
POST AUTHORIZATION
During the continuous monitoring phase, the CSP is required to provide periodic
security deliverables (vulnerability scans, updated POA&M, annual security
assessments, incident reports, significant change requests, etc.) to all agency
customers. Further detail can be found in the Continuous Monitoring Strategy
Guide [PDF - 1.1MB].
Each agency using the service reviews the monthly and annual continuous
monitoring deliverables. CSPs use the FedRAMP secure repository for posting
monthly continuous monitoring material for ease of access and sharing with
agency representatives.
Back to Graphic for Reference
RESOURCES
The resources below provide additional guidance on the Agency Authorization
path. Additional technical guidance as well as FedRAMP templates are located on
our Documents & Templates page under resources.
AGENCY AUTHORIZATION PLAYBOOK
This document provides a compilation of best practices, tips, and step-by-step
guidance for agencies seeking to implement ATOs.
Download [PDF - 1.3MB]
AGENCY AUTHORIZATION - ROLES AND RESPONSIBILITIES FOR FEDRAMP, CSPS, AND
AGENCIES
This document provides a summary of the roles and responsibilities of the
agency, CSP, and FedRAMP PMO during the Agency Authorization process.
Download [PDF - 933KB]
FEDRAMP AUTHORIZATION BOUNDARY GUIDANCE
This document provides CSPs guidance for developing the authorization boundary
for their offering(s) which is required for their FedRAMP Authorization package.
Download [PDF - 293KB]
FEDRAMP GUIDE FOR MULTI-AGENCY CONTINUOUS MONITORING
This document provides guidance to agencies and CSPs to assist with a framework
for collaboration when managing Agency ATOs.
Download [PDF - 413KB]
FEDRAMP TAILORED WEBSITE
Provides guidance and templates for FedRAMP Tailored, a simple, condensed
approach to the Authorization process for Low-Impact Software-as-a-Service
(LI-SaaS) applications.
Visit Website
The Federal Risk and Authorization Management Program (FedRAMP®) is managed by
the FedRAMP Program Management Office.
The FedRAMP name and the FedRAMP logo are the property of the General Services
Administration (GSA) and may not be used without GSA’s express, written
permission. For more information, please see the FedRAMP Brand Guide.
CONNECT WITH US
Please reach out to FedRAMP with any questions.
info@FedRAMP.gov
FOLLOW US
Twitter
YouTube
KEEP UP TO DATE
To receive news and updates, join the GSA’s subscriber list.
Subscribe
FedRAMP.gov
An official website of the GSA’s Technology Transformation Services
* About GSA
* Accessibility support
* GSA FOIA
* No FEAR Act data
* Office of the Inspector General
* Performance reports
* GSA Privacy policy
* FedRAMP privacy policy
Looking for U.S. government information and services?
Visit USA.gov
You consent to our cookies by clicking “I Accept” or by continuing to use our
website. See cookies policy.
I Accept