Over the last few weeks, we at CORAS have been speaking with a lot of Federal Agencies and members of the Department of Defense concerning our FedRAMP High Authorization for CORAS Federal. We've noticed a trend, though, in that Agency folks know they should be asking about FedRAMP but aren't sure what FedRAMP's Provisional Authority to Operate (P-ATO) means for them.
In this brief high-level article, I'll be sharing information from the government's websites to help explain what the P-ATO is and what the role is for the purchasing Agency. If you've noticed that I've gotten anything wrong, please feel free to point it out in the comments below.
What is a P-ATO?
Many Agencies are used to having to create their own Authorizations to Operate (ATO). The purchasing department needs to work with the Agency's own internal security group, do the research and testing of the product, and issue their own ATO specific for their single Agency.
To aid agencies in their move to cloud-based products, the Federal Risk and Authorization Management Program (FedRAMP) performs security evaluations on cloud services. The outcome of this effort is a Provisional Authority to Operate (P-ATO) to those products passing this evaluation. The evaluations are either sponsored by a specific Agency or by the FedRAMP Joint Authorization Board (JAB), made up of the CIOs of the General Services Administration, Department of Defense, and Department of Homeland Security.
When a cloud service is reviewed by the FedRAMP JAB, the JAB is reviewing a cloud service for all agencies, throughout the government, and not a specific agency. Cloud services passing the FedRAMP JAB review process are issued a P-ATO for cloud services. While FedRAMP offers Low and Moderate security impact levels CORAS Federal has a High Impact level, ensuring it is a trustable service for government information.
Agency Using the P-ATO
The goal of FedRAMP is to enable Agencies to leverage security authorizations for cloud products and services on a government-wide scale. That said, the FedRAMP process makes it straightforward for Agencies to find, authorize, and purchase authorized products.
The challenge, though, is each Agency's security needs are unique. While we would like to view the government as a single monoculture, the truth is each Agency has different requirements, constraints, and security needs for its information. To that end, when purchasing a FedRAMP authorized cloud service, the purchasing Agency must understand their security requirements and ensure the cloud service meets them.
FedRAMP offers a nice one-page document on this process, found here: Reusing Authorizations for Cloud Products Quick Guide. This document guides the Agency through the four steps for using the FedRAMP P-ATO to find authorized cloud services, to conduct Agency-specific risk and security analysis, to issue an ATO shared with FedRAMP, and to be included in continuous monitoring (ConMon) process along with other Agencies.
The FedRAMP JAB authorization process removes most of the burden from an Agency's security and IT teams. FedRAMP performs the heavy lifting of ensuring the security of an environment for government use, generating the P-ATO as a result. The Agencies take advantage of this effort by reviewing the security package already organized and vetted by FedRAMP by comparing it to their Agency's specific security needs.
Cloud services meeting the Agency's requirements are issued an ATO, submitted to FedRAMP, and participated in the ongoing security monitoring. Built and authorized for High Impact, the CORAS Federal cloud service should pass most agencies ' requirements without any issues.
Through working with FedRAMP JAB, CORAS has gone through a thorough review of our security and compliance processes. The resulting High Authorization P-ATO allows Agencies who are reviewing the CORAS Federal cloud service to focus their time and effort on reviewing the pieces that serve their Agency's missions.