March 15, 2019

What is a FedRAMP ATO?

Vibhuti Sinha

Chief Cloud Officer

What is a FedRAMP ATO?

As more companies migrate workloads and data to the cloud, security becomes more difficult to manage. With Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service rapidly overtaking traditional IT architectures, companies open themselves up to more threat vectors. Each cloud services provider (CSP) and its access location creates a new threat vector that places corporate and agency data at risk. The Federal Risk and Authorization Management Program (FedRAMP) provides a unified framework offering cloud service providers a way to use the “do once, use many times” approach providing assurance to federal agencies and nonfederal customers that it manages the data security risks associated with cloud service providers and cloud migration.

What is FedRAMP?

FedRAMP brings together the security controls necessary for meeting both the cloud security standards listed in NIST Special Publications 800-53 and 800-37 as well as the compliance requirements for protecting information under the Federal Information Security Management Act of 2002 (FISMA). FedRAMP only begins with NIST publications. As part of the review process, organizations who achieve FedRAMP Authority to Operate (ATO) must go beyond the baseline requirements of NIST to ensure that they can protect sensitive agency information. FedRAMP incorporates controls specific to the security risks inherent in CSPs, thus validating service providers’ all-inclusive security posture.

How Does a Company Begin the FedRAMP Authorization Process?

Understanding the difference between FedRAMP ATO status and other compliance certifications means looking at more than just the FedRAMP security framework itself but also the benefit a CSP can provide a federal agency. A company seeking FedRAMP ATO often needs an agency sponsor. The Agency Authorization process is one of the primary paths to FedRAMP compliance for a cloud service provider. In short, it means that an agency wants to use the cloud service product and is willing to work with the CSP to obtain approval. Moreover, it means that the sponsoring agency feels that the CSO provides value to other federal agencies as well. Think of FedRAMP authorization like joining a fraternity or sorority. Since the Joint Authorization Board (JAB) has limited resources, it can’t just review every cloud service. Thus, the JAB needs to feel that a cloud service offering (CSO) provides more value than other cloud services. Then, you need a “Big” to mentor you through the rush process. The agency sponsor fulfills that “Big” role for their CSP.

What Are The Steps to FedRAMP ATO?

Since every federal agency works with privileged data, obtaining FedRAMP ATO is a long, arduous process. After getting an agency sponsor, the next step to FedRAMP ATO is completing a full security assessment that incorporates a System Security Plan (SSP). With an SSP in place, the company creates a Security Assessment Plan (SAP) developed in conjunction with a third party assessment organization (3PAO). After developing the SAP with the 3PAO, a rigorous testing process over the cloud service control environment occurs. While undergoing the 3PAO assessment, the company needs to pause any critical developments. Thus, service providers seeking FedRAMP ATO status show commitment to security by focusing on maintaining effective controls rather than by expanding the cloud service capabilities. Fundamentally, this ensures that the cloud service starts secure, giving the FedRAMP PMO and JAB an initial sense of commitment to data integrity. The 3PAO will give detailed feedback, including any remediation steps necessary to meet FedRAMP compliance, to the cloud service, JAB, and PMO. Once the CSP completes the remediation activities, the 3PAO retests and delivers another report to the FedRAMP PMO and JAB. Once the 3PAO completes the FedRAMP testing, it sends a Security Assessment Report (SAR) to the JAB and recommends the CSP for FedRAMP Authorization. Finally, to achieve and maintain FedRAMP ATO, the company needs to prove continuous monitoring over its security controls. Since security control effectiveness constantly changes as malicious actors keep evolving their attack methodologies, the CSP needs to prove that it’s maintaining that point-in-time security continuously. Thus, it needs to document its overview governance for the FedRAMP PMO and JAB.

What’s The Difference Between JAB and Agency Authorization?

JAB authorization promotes a wider range of use cases than agency authorization. In short, a CSO that obtains FedRAMP JAB authorization is one that offers wide-ranging capabilities that benefits any federal agency. Agencies can authorize cloud services based on their own individual needs. However, companies that can provide broad services to a variety of federal agencies seek JAB FedRAMP approval. Thus, while Agency Authorization focuses on cloud service providers whose product works only with that agency or possibly another, FedRAMP JAB authorization not only proves compliance but also enablement capabilities. Obtaining a JAB FedRAMP ATO takes more time and review than a federal agency authorization. As part of the initial JAB review, the CSP needs to prove that its CSO is widely beneficial for federal organizations adopting a Cloud First strategy.

How to Review a FedRAMP ATO Level

When reviewing a CSP’s CSO, agencies focus on two different things. First, the level and second the type of ATO achieved. FedRAMP divides CSPs into three different levels – High, Moderate, and Low – depending on the adverse impact a potential loss of data confidentiality, integrity, or availability can have on an agency. Fundamentally, the more important the information, the greater the impact a data breach could have. As you go up the scale from Low to High, FedRAMP requires greater assurance that the CSP can protect agency data, increasing the number of controls required. Under FedRAMP, Low-Level systems need to provide assurance over 125 control, Moderate Level systems 325 controls, and High-Level systems 421 control.

How to Review a FedRAMP ATO Status

As a CSP journeys through the FedRAMP process, it’s status changes. First, a company will be listed as “FedRAMP Ready” which means that it started the review process and has a sponsoring agency. After determining that the CSO provides value to more than one agency, the JAB and FedRAMP PMO will list it as “In Process.” Next, JAB reviews the security information provided and grants a “Provision Authority to Operate (P-ATO).” This initial authorization means that the CSP is safe to use but hasn’t fully completed the final process. The final FedRAMP authorization stage requires the CSP to submit to another round of review by sending an ATO letter to the FedRAMP PMO for official approval. Once the PMO approves the FedRAMP ATO letter, the CSP can conduct business with the federal government, and FedRAMP lists it in its marketplace resources.

What Saviynt’s FedRAMP ATO Means For Customers

Saviynt’s FedRAMP JAB Moderate ATO authorization means that we provide a solution enabling federal agencies and non-federal customers with a platform that accelerates the cloud adoption process and enables technology modernization. Focused on security, Saviynt’s identity governance and cloud privileged access management solution offers customers the first and only IaaS product that meets the rigorous security control effectiveness requirements established by FedRAMP. Moreover, for federal agencies and non-federal customers seeking to migrate to the cloud, Saviynt easily integrates with a variety of applications including SAP, Oracle, Epic, AWS, and Azure. Our commitment to security starts with your organization’s identities and ends with our assurance over data protection to keep those identities secure.