What Are the FedRAMP Compliance Requirements to Become FedRAMP Certified?
There are two ways for CSPs to meet FedRAMP compliance requirements and become a FedRAMP certified vendor. They can either obtain a P-ATO (Provisional Authorization to Operate) through the Joint Authorization Board (JAB) or obtain an ATO (Authorization to Operate) by working with a government agency.
The JAB is the primary governing body of the FedRAMP program and consists of the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB issues a FedRAMP Provisional Authorization to Operate (P-ATO) to a CSP after its risk has been assessed by an approved third-party assessment organization (3PAO).
Understandably, because CSPs are assessed by the Department of Defense, Department of Homeland Security, and the General Services Administration, it’s a stringent process leading up to the issuing of a P-ATO. This authorization is provisional due to the fact that the JAB does not have the required authority to accept risk on behalf of any other federal agency. The authority to do this lies with the Authorization Officer (AO) of the specific federal agency.
To obtain an Authority to Operate (ATO) authorization, CSPs work directly with a specific agency during the Agency Authorization process. Here, the federal agency partner works with the CSP from the outset, approves the CSP, and arranges approval for the CSP from the FedRAMP Program Management Office. Once approved, the CSP will be issued with an ATO which authorizes the CSP to work with the specific agency.