How this P-ATO helps your team
This P-ATO represents a comprehensive security and compliance assessment that enables federal agencies to start using cloud.gov with significantly reduced effort.
Historically each agency would have to conduct their own in-depth assessment of cloud.gov’s security and compliance before allowing their teams to use it. This means the federal government would need to do redundant labor-intensive work.
FedRAMP (Federal Risk and Authorization Management Program) solves that problem. It coordinates a Joint Authorization Board (JAB) made up of the three Chief Information Officers of DoD, DHS, and GSA. These CIOs and their teams assessed cloud.gov using rigorous standards for security and compliance, and because cloud.gov met the requirements, they endorsed this P-ATO. This means other agencies don’t have to repeat their in-depth assessment.
How you can use this
Any federal agency can use the cloud.gov P-ATO as part of the ATO for an agency system built on cloud.gov, which substantially reduces the effort required to give that system an ATO. If you’re interested in this, you can request the P-ATO documentation package from FedRAMP.
For a quick summary, you can download the Control Implementation Summary + Customer Responsibility Matrix (.xlsx), which lists whether each Low and Moderate security control is handled by cloud.gov, shared responsibility, or customer responsibility.
FedRAMP requires cloud.gov to maintain continuous monitoring and undergo annual re-assessment to retain the P-ATO, which gives your agency ongoing assurance that cloud.gov is compliant.
Sharing our work for reuse
We plan to publish much of the documentation from our P-ATO package, as part of our open source system documentation, after we add context for public release.
As a government team with a mission to support agency efforts to improve the way they deliver services to the public, we want our compliance documentation to be available as a model that helps additional Platform as a Service providers (including commercial providers) write the documentation they need to achieve FedRAMP JAB P-ATO as well.