Agency Authorization

Pre-Authorization

During the Pre-Authorization step, a CSP formalizes its partnership with an agency via the requirements outlined on the About FedRAMP Marketplace page. A CSP also prepares to undergo the authorization process. They make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.

By this stage, a CSP should:

• Have a system that is fully built and functional
• Have a leadership team that is committed and fully on board with the FedRAMP process
• Submit a CSP Information Form
• Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Appendix K of the System Security Plan (SSP) template, along with the guidance of FIPS Pub 199 [PDF - 78KB] and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on the systems

The final step in Pre-Authorization is to prepare for and conduct a Kickoff Meeting. During the Kickoff Meeting, a CSP and agency will discuss:

• The background and functionality of the cloud service
• The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
• Customer responsible controls that must be implemented and tested by the Agency
• Compliance gaps and remediation plans
• A work breakdown structure, milestones, and next steps

Back to Graphic for Reference

Agency Authorization Process

The next step is the Agency Authorization Process. During this step, the agency conducts a security authorization package review, which may include a SAR debrief. Depending on the results of the agency’s review, CSP remediation may be required. During this phase, the agency may implement, document, and test customer responsible controls. Alternatively, the agency may choose to perform these steps after issuing the ATO. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:

• The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with exception of the security assessment material, to FedRAMP’s secure repository.
• The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.

The FedRAMP PMO performs a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized status and the date of authorization. In turn, the CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form [PDF - 278KB].

The FedRAMP PMO requests agencies to send their ATO letters for any FedRAMP-Authorized CSO to ato-letter@fedramp.gov.

Back to Graphic for Reference