An official website of the United States government US flag signifying that this is a United States Federal Government website

FedRAMP Authorized

FedRAMP Authorized has a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB).

How this P-ATO helps your team

This P-ATO represents a comprehensive security and compliance assessment that enables federal agencies to start using with significantly reduced effort.

Historically each agency would have to conduct their own in-depth assessment of’s security and compliance before allowing their teams to use it. This means the federal government would need to do redundant labor-intensive work.

FedRAMP (Federal Risk and Authorization Management Program) solves that problem. It coordinates a Joint Authorization Board (JAB) made up of the three Chief Information Officers of DoD, DHS, and GSA. These CIOs and their teams assessed using rigorous standards for security and compliance, and because met the requirements, they endorsed this P-ATO. This means other agencies don’t have to repeat their in-depth assessment.

For DoD teams: the Defense Information Systems Agency (DISA) categorizes FedRAMP Moderate as equivalent to DISA impact level two, and they have issued a DoD Provisional Authorization for at DISA impact level two.

How you can use this P-ATO

Any federal agency can use the P-ATO as part of the ATO for an agency system built on, which substantially reduces the effort required to give that system an ATO. If you’re interested in this, you can request the P-ATO documentation package from FedRAMP (the Package ID for that form is F1607067912). You can also view the FedRAMP Marketplace page for

For a quick summary, you can download the Control Implementation Summary + Customer Responsibility Matrix (.xlsx), which lists whether each Low and Moderate security control is handled by, shared responsibility, or customer responsibility.

The majority of federal systems are at the Low and Moderate impact levels, which can be hosted on can’t yet host High impact systems.

FedRAMP requires to maintain continuous monitoring and undergo annual re-assessment to retain the P-ATO, which gives your agency ongoing assurance that is compliant.

Sharing our work for reuse

We plan to publish much of the documentation from our P-ATO package, as part of our open source system documentation, after we add context for public release.

As a government team with a mission to support agency efforts to improve the way they deliver services to the public, we want our compliance documentation to be available as a model that helps additional Platform as a Service providers (including commercial providers) write the documentation they need to achieve FedRAMP JAB P-ATO as well.