cloud.gov has a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB). This means cloud.gov has undergone a significant, thorough security and compliance review so that your agency can focus on reviewing the parts of the system that serve your mission more directly.
What is a P-ATO?
The Federal Risk and Authorization Management Program (FedRAMP) evaluates cloud services and issues a Provisional Authority to Operate (P-ATO) to those that pass review. Those come in two flavors: Agency and JAB. Both authorizations look at a standardized set of FISMA and NIST requirements and both can be used by other agencies in their ATO process. The difference is, when the Joint Authorization Board (JAB) is convened, it’s to review a cloud service that is and should be used throughout the government. The members of the JAB are the CIOs of the General Services Administration, Department of Defense, and Department of Homeland Security. They issue a P-ATO for cloud services that pass their review and to be used to run systems holding any kind of government data at specific levels. cloud.gov has an authorization at the moderate level which means it is a vetted and trustable service for data where the impact of loss is limited or serious — but not catastrophic.
Once that P-ATO is granted, FedRAMP requires cloud.gov to undergo re-assessment every year and maintain continuous monitoring. This gives your agency ongoing assurance that cloud.gov is compliant.
For DoD teams: the Defense Information Systems Agency (DISA) categorizes FedRAMP Moderate as equivalent to DISA impact level two (IL2) and they have issued a DoD Provisional Authorization for cloud.gov at DISA impact level two. Some points to bear in mind:
- The FedRAMP package (see below) includes the DISA Provisional Authorization (PA) letter for your reference.
- Per the PA and the DoD Cloud Computing SRG, the artifacts available to an Authorizing Official (AO) are those included in the FedRAMP-approved package. The Cloud Computing SRG has a useful illustration to that effect, DoD Continuous Monitoring for CSOs with a FedRAMP JAB PA
- To meet the intent of OMB and DoD policies that cloud authorization follow a “do once, use many times” framework, cloud.gov will not provide artifacts that are already encompassed by the FedRAMP authorization and continuous monitoring program.
How you can use this P-ATO
Your agency still needs to grant your system an Authority to Operate, but FedRAMP has done the labor-intensive work of reviewing cloud.gov’s security posture and endorsed it, which reduces the compliance work you need to do. Your agency’s authorizing official can request the P-ATO documentation package from FedRAMP and accept that endorsement for your own system. See ATO process for the typical workflow.
Here’s how it works: Every “moderate” impact federal system is required to account for a baseline of about 325 controls before it can be granted an ATO. Once cloud.gov’s P-ATO is reviewed and accepted, many of those requirements are already implemented and documented. Of the remaining requirements, responsibility for most of the rest are shared between cloud.gov and your application, and only some of them are fully yours.
Here’s an example of a control breakdown for a simple moderate-impact system hosted on cloud.gov:
The Control Implementation Summary + Customer Responsibility Matrix + Control-by-Control Inheritance (.xlsx) (last updated November 7, 2018) is a summary of each Low and Moderate security control and whether it is handled by cloud.gov, shared responsibility, or customer responsibility. It includes guidance on which controls a customer system can fully or partially inherit from cloud.gov.
Start the ATO process
If you want to authorize cloud.gov, request the P-ATO documentation package from FedRAMP (the Package ID for that form is F1607067912). You can also view the FedRAMP Marketplace page for cloud.gov.