An official website of the United States government US flag signifying that this is a United States federal government website

FedRAMP Authorized

FedRAMP Authorized

cloud.gov has a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB).

How this P-ATO helps your team

This P-ATO represents a comprehensive security and compliance assessment that enables federal agencies to start using cloud.gov with significantly reduced effort.

Historically each agency would have to conduct their own in-depth assessment of cloud.gov’s security and compliance before allowing their teams to use it. This means the federal government would need to do redundant labor-intensive work.

FedRAMP (Federal Risk and Authorization Management Program) solves that problem. It coordinates a Joint Authorization Board (JAB) made up of the three Chief Information Officers of DoD, DHS, and GSA. These CIOs and their teams assessed cloud.gov using rigorous standards for security and compliance, and because cloud.gov met the requirements, they endorsed this P-ATO. This means other agencies don’t have to repeat their in-depth assessment.

How you can use this P-ATO

Any federal agency can use the cloud.gov P-ATO as part of the ATO for an agency system built on cloud.gov, which substantially reduces the effort required to give that system an ATO. If you’re interested in this, you can request the P-ATO documentation package from FedRAMP (the Package ID for that form is F1607067912). You can also view the FedRAMP Marketplace page for cloud.gov.

For a quick summary, you can download the Control Implementation Summary + Customer Responsibility Matrix (.xlsx), which lists whether each Low and Moderate security control is handled by cloud.gov, shared responsibility, or customer responsibility.

The majority of federal systems are at the Low and Moderate impact levels, which can be hosted on cloud.gov. cloud.gov can’t yet host High impact systems.

FedRAMP requires cloud.gov to maintain continuous monitoring and undergo annual re-assessment to retain the P-ATO, which gives your agency ongoing assurance that cloud.gov is compliant.

Sharing our work for reuse

We plan to publish much of the documentation from our P-ATO package, as part of our open source system documentation, after we add context for public release.

As a government team with a mission to support agency efforts to improve the way they deliver services to the public, we want our compliance documentation to be available as a model that helps additional Platform as a Service providers (including commercial providers) write the documentation they need to achieve FedRAMP JAB P-ATO as well.