Rev5 Agency Authorization

1. Preparation

Readiness Assessment

In the Readiness Assessment step, a CSP may elect to pursue the FedRAMP Ready designation, which is optional for the Agency Authorization process. To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements.

FedRAMP Ready indicates that a 3PAO attests to a CSO’s security capabilities, and that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP. FedRAMP Ready is only available at the moderate and high impact levels, is valid for one calendar year from date of designation and no agency partner is needed to achieve FedRAMP Ready.

Pre-Authorization

During the Pre-Authorization step, a CSP formalizes its partnership with an agency by submitting an In Process Request (IPR) letter and Work Breakdown Structure (WBS) to intake@fedramp.gov. Once FedRAMP receives formal partnership confirmation from an agency in the form of an IPR and WBS, a CSP is able to obtain an In Process listing on the FedRAMP Marketplace. A CSP should begin to work with their agency partner to undergo the authorization process. They make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.

By this stage, a CSP should:

• Have a system that is fully built and functional
• Have a leadership team that is committed and fully on board with the FedRAMP process
• Submitted a CSP Information Form (which will assign a FedRAMP ID)
• Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Appendix K of the System Security Plan (SSP) template, along with the guidance of FIPS Pub 199 [PDF - 78KB] and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on the systems

The final step in Pre-Authorization, and always a best practice, is to prepare for and conduct a Kickoff Meeting. During the Kickoff Meeting, a CSP and agency will discuss:

• The background and functionality of the cloud service
• The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
• Customer responsible controls that must be implemented and tested by the Agency
• Compliance gaps and remediation plans
• A work breakdown structure, milestones, and next steps

2. Authorization

Full Security Assessment

During the Full Security Assessment step, the 3PAO performs an independent audit of the system.

At the conclusion of testing, the 3PAO develops a Security Assessment Report (SAR) which details their findings from testing and includes a recommendation for FedRAMP Authorization.

The CSP will then develop a Plan of Action and Milestones (POA&M) based on the SAR findings, and include input from the 3PAO, which outlines a plan for addressing the findings from testing.

Agency Authorization Process

The next step is the Agency Authorization Process. During this step, the agency conducts a security authorization package review, which may include a SAR debrief. Depending on the results of the agency’s review, CSP remediation may be required. During this phase, the agency may implement, document, and test customer responsible controls. Alternatively, the agency may choose to perform these steps after issuing the ATO. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:

• The CSP uploads the Authorization Package Checklist and the complete security package (SSP and attachments, POA&M, and Agency ATO letter), with exception of the security assessment material, to FedRAMP’s secure repository.
• The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.

The FedRAMP PMO performs a review of the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing for the service offering will be updated to reflect FedRAMP Authorized status and the date of authorization. In turn, the CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form [PDF - 278KB].

The FedRAMP PMO requests agencies to send their ATO letters for any FedRAMP-Authorized CSO to ato-letter@fedramp.gov.

The full security assessment may be prepared in advance of the authorization phase, or completed during the authorization phase. This is dependent on the agency’s review approach.

3. Continuous Monitoring

Post Authorization

During the continuous monitoring phase, the CSP is required to provide periodic security deliverables (vulnerability scans, updated POA&M, annual security assessments, incident reports, significant change requests, etc.) to all agency customers. Further detail can be found in the Continuous Monitoring Strategy Guide [PDF - 1.1MB].

Each agency using the service reviews the monthly and annual continuous monitoring deliverables. CSPs use the FedRAMP secure repository for posting monthly continuous monitoring material for ease of access and sharing with agency representatives.