cloud.gov has a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB). This means cloud.gov has undergone a significant, thorough security and compliance review so that your agency can focus on reviewing the parts of the system that serve your mission more directly.
What is a P-ATO?
The Federal Risk and Authorization Management Program (FedRAMP) evaluates cloud services and issues a Provisional Authority to Operate (P-ATO) to those that pass review. Those come in two flavors: Agency and JAB. Both authorizations look at a standardized set of FISMA and NIST requirements and both can be used by other agencies in their ATO process. The difference is, when the Joint Authorization Board (JAB) is convened, it’s to review a cloud service that is and should be used throughout the government. The members of the JAB are the CIOs of the General Services Administration, Department of Defense, and Department of Homeland Security. They issue a P-ATO for cloud services that pass their review and to be used to run systems holding any kind of government data at specific levels. cloud.gov has an authorization at the moderate level which means it is a vetted and trustable service for data where the impact of loss is limited or serious — but not catastrophic.
Once that P-ATO is granted, FedRAMP requires cloud.gov to undergo re-assessment every year and maintain continuous monitoring. This gives your agency ongoing assurance that cloud.gov is compliant.
For DoD teams: the Defense Information Systems Agency (DISA) categorizes FedRAMP Moderate as equivalent to DISA impact level two, and they have issued a DoD Provisional Authorization for cloud.gov at DISA impact level two.
How you can use this P-ATO
FedRAMP is like an outfitter for cloud services. Your agency still needs to grant the system you want to build an Authority to Operate but FedRAMP has done the labor intensive work of reviewing cloud.gov’s security posture and endorsed it. Your agency’s authorizing official can request the P-ATO documentation package from FedRAMP and accept that endorsement for your own system.
Here’s how it works: Every “moderate” impact federal system is required to account for a baseline of 325 controls before it can be granted an ATO. Your agency may choose to do more than that, but once cloud.gov’s P-ATO is reviewed and accepted, 269 of those requirements are already implemented and documented. Of the remaining requirements, responsibility for 41 of them is shared between cloud.gov and your application, and 15 are fully yours.
By reducing the overhead of the approval process, cloud.gov allows you to focus on reviewing the parts of your system specific to your agency’s mission.
Documents for the ATO process
If you want to use cloud.gov, request the P-ATO documentation package from FedRAMP (the Package ID for that form is F1607067912). You can also view the FedRAMP Marketplace page for cloud.gov.
The Control Implementation Summary + Customer Responsibility Matrix + Control-by-Control Inheritance (.xlsx) (last updated November 7, 2018) is a summary of each Low and Moderate security control and whether it is handled by cloud.gov, shared responsibility, or customer responsibility. It includes guidance on which controls a customer system can fully or partially inherit from cloud.gov.
When you’re ready to start the P-ATO review process for cloud.gov, see ATO process for an overview of the typical workflow.