This is an outline of a typical ATO process for a cloud.gov customer system. All agencies handle the ATO process in their own way, so you should talk with your agency’s security compliance specialists, but this can give you a broad overview.
What’s a FedRAMP Provisional ATO?
cloud.gov has a FedRAMP Authorization. In precise terms, it is a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB).
It’s normal and expected that this is a “Provisional” ATO. The JAB does not have the authority to issue an ATO for a system at your agency. Only your own agency has the authority to issue ATOs for systems that your agency uses or operates.
So instead, the JAB issues a pre-authorization that your agency can review, including an audited documentation package. Any federal employee or contractor can access the package using this FedRAMP form (Package ID F1607067912). If your agency finds that the cloud.gov P-ATO meets their requirements, they can issue an ATO for cloud.gov. Here’s a template agency ATO letter (.docx).
How customer system ATOs work
First, a quick definition: a customer “system” is typically an org that contains spaces (such as staging and production spaces), applications, and service instances that serve together as sub-components of the system. The exact definition and boundary of “system” is up to your agency.
Customer ATO that inherits from cloud.gov ATO (ideal)
Here’s what this can look like for the first system to use cloud.gov at an agency. In this diagram, AOs stands for Authorizing Officials – people who can ATO a system.
Steps in more detail:
- Early in your process, talk to your AOs and explain your plans so that you get on the right track to ATO.
- 1.5. You may be able to start working on your system and preparing your ATO materials – ask your AOs.
- AOs request the cloud.gov FedRAMP P-ATO package and review the materials.
- AOs issue an ATO for cloud.gov itself.
- Develop (or migrate) your system and put together your compliance materials.
- Your System Security Plan should document that your system inherits some controls (partially or fully) from the cloud.gov ATO, as well as documenting the controls handled by your system.
- Your agency reviews your system and ATO materials.
- Your agency issues a new ATO just for your system.
Then if somebody else at your agency wants to run a system on cloud.gov, the cloud.gov ATO is easy to reuse! They don’t have to repeat steps 2 and 3 to review the cloud.gov P-ATO.
Here’s what the second system ATO process can look like:
If your agency prefers, they can issue a consolidated ATO.
- Your agency reviews the cloud.gov P-ATO materials and your customer system ATO materials together.
- Your System Security Plan should document that your system inherits some controls (partially or fully) from the cloud.gov P-ATO, as well as documenting the controls handled by your system.
- Your agency issues an ATO for your system running on cloud.gov.
This does not result in an ATO for cloud.gov in general at your agency, so if another team at your agency wants to run a system on cloud.gov, your agency may need to redo some ATO work.
- Our February 2021 blog post on writing an SSP system environment description