Pursuing a FedRAMP® Agency Authorization
There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.
The Authorization Process
If the agency path is the selected authorization process, the first major phase is preparation. There are two steps in the preparation phase: pre-authorization, which is required, and readiness assessment, which is optional but highly recommended. For pre-authorization a CSP must begin with a partnership establishment then undergo authorization planning to participate in a Kickoff Meeting. From here, the CSP has the option of working through the optional readiness assessment step, which begins with RAR development. Followed by this is the FedRAMP PMO review of RAR. A remediation will then occur, but only if necessary, followed by the issuing of the FedRAMP Ready Designation.
The next major phase of the process is authorization. The first step in this phase is the full security assessment, which includes the security authorization package involving numerous deliverables such as the SSP, SAP, SAR, and POA&M. The next step in the authorization phase is the agency authorization process beginning with an agency review of the security authorization package. This is followed by an SAR debrief before a remediation and an agency final review occurs. Next, an agency ATO takes place followed finally by a FedRAMP PMO review and a remediation, if needed.
It is at this point a CSP can become FedRAMP authorized in the agency authorization process. Post authorization, there are monthly continuous monitoring deliverables as well as an annual assessment. These are ways FedRAMP ensures continuous monitoring is present throughout the entire process.
The resources below provide additional guidance on the Agency Authorization path. Additional technical guidance as well as FedRAMP templates are located on our Documents & Templates page under resources.
Agency Authorization Playbook
This document provides a compilation of best practices, tips, and step-by-step guidance for agencies seeking to implement ATOs.
Agency Authorization - Roles and Responsibilities for FedRAMP, CSPs, and Agencies
This document provides a summary of the roles and responsibilities of the agency, CSP, and FedRAMP PMO during the Agency Authorization process.
FedRAMP Authorization Boundary Guidance
This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP Authorization package.
FedRAMP Guide for Multi-Agency Continuous Monitoring
This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.
FedRAMP Tailored Website
Provides guidance and templates for FedRAMP Tailored, a simple, condensed approach to the Authorization process for Low-Impact Software-as-a-Service (LI-SaaS) applications.