FedRAMP authorization is one of the most sought-after compliance certifications for cloud service providers. Federal agencies are turning to cloud technology and SaaS software to support responsive data management, and that means maintaining critical security over cloud connections and file transfers. This means that cloud providers must achieve Authority to Operate (ATO) designation prior to working with these federal agencies. 

With that in mind, while there are standard procedures for all FedRAMP certifications, there are also multiple paths. Depending on who the CSP chooses to work with, that could mean a more general approach that requires refinement or an agency-specific approach that might change depending on the nature of the agency and the data they utilize. 

Here, we’ll break down the difference between the FedRAMP ATO and Provisional Authority to Operate (P-ATO). 

What is the FedRAMP Certification Process?

The FedRAMP certification process is long and rigorous but relatively straightforward. With the help of a skilled 3PAO, a cloud service provider can maximize their security infrastructure to meet the demands of handling federal data with an agency partner. 

Typically, an agency puts out an RFP for cloud services and a provider that offers those services. That RFP will state the necessity of having FedRAMP certification at a specific Impact Level alongside any other requirements. At this phase, known as Partner Establishment, the CSP and the agency agree to work together contingent on the CSP’s achievement of FedRAMP certification. 

Following that, the CSP and their 3PAO work together to accomplish the following security assessments:

1. Create an in-depth report on the security controls in place at the CSP, and the controls needed to meet the Impact Level required. This is the System Security Plan.
2. Produce a thorough plan to test and measure the CSPs capabilities and controls against FedRAMP compliance, including penetration testing and vulnerability assessment. This is the Security Assessment Plan.
3. Compile and produce a report on the results of that assessment, including any necessary remediation steps to take to address security issues. This is the Security Assessment Report.
4. Provide a plan for Continuous Monitoring after authorization to ensure continued compliance and security. 

By and large, these steps are the same for all companies. The primary differentiator for many CSPs will be whether they pursue FedRAMP authorization directly through an agency, or more generally through the FedRAMP governing bodies themselves. This means that there are two authorization designations at the end of the FedRAMP process: ATO or P-ATO. 

What is the Difference Between JAB and Agency Authorization?

The Joint Authorization Board (JAB) is a governing body within the FedRAMP compliance framework that takes responsibility for decision-making and certain authorizations. This organization is composed of Chief Information Officers and other figures from federal organizations like the Department of Defense, the Department of Homeland Security, and the General Services Administration. 

As the governing body, JAB is responsible for managing the implementation of procedures and processes for FedRAMP authorization. This also means that they work closely with guidance from the National Institute of Standards and Technology (NIST) Special Publications and the Federal Information Security Modernization Act (FISMA) standards. 

This also means that they can serve as an authorization body for CSPs looking for FedRAMP certification. This presents a challenge, however, in that while FedRAMP has overarching requirements for compliance, individual agencies will have specific requirements based on their operations, needs, and the information managed. 

With that in mind, CSPs can follow two authorization paths:

1. Authorization to Operate, which is granted by a specific federal agency
2. Provisional Authority to Operate, which is granted by JAB

While there are core similarities between these two designations, there are also critical distinctions. 

What is the Difference Between ATO and P-ATO?

The most important difference between an ATO and a P-ATO is applicability. 

An ATO is tailored towards a specific agency, which means a few different things for the CSP:

1. The ATO granted is not a blanket certification to work with federal agencies. If a CSP receives their ATO as a partner with one agency, other agencies that want to work with that CSP will evaluate their compliance and certification and determine if there are additional requirements.
2. The ATO will certify the CSP to work with the agency at its required Impact Level. So, if the agency requires High Impact, then the CSP must meet that requirement. This can change between agency RFPs.

Conversely, the P-ATO designation suggests a different situation:

1. The P-ATO could be considered a blanket pre-authorization. JAB cannot determine proper ATO requirements for each agency, but they can provide this level of authorization that can CSPs with individual agency requirements.
2. P-ATO is at the Moderate Impact baseline as defined by FIPS 199. 

 So why get a P-ATO rather than an ATO designation? One of the more important reasons is that the process of getting a P-ATO through JAB is that it can streamline the process much more readily than working with a specific agency. Since P-ATO is at the Moderate Level, you have a reasonable middle ground for adjusting security controls based on the need of individual agencies. Likewise, you’ll be able to adapt your infrastructure more quickly because it has already been positioned for success within the FedRAMP framework. 

That being said, a P-ATO also requires the additional step of becoming “FedRAMP Ready”, where the CSP works with their 3PAO to demonstrate that their organization is ready for the process. This requirement isn’t present in agency-driven compliance requirements and adds additional time and cost to the process. 

Finally, even completing FedRAMP compliance makes you more secure. The requirements are strong to handle sensitive federal data, which means that preparing yourself for FedRAMP positions you to have top-notch security that could benefit additional efforts for compliance frameworks in other industries. 

Conclusion

FedRAMP compliance isn’t undertaken lightly. Regardless of whatever road you take towards compliance, you’ll be expected to meet rigorous standards to protect important government data. Even with a high demand for cloud platforms and SaaS products, the government expects its providers to meet the same high standards that they do. Fortunately, the work is worth it, as federal IT work is both lucrative and rewarding. 

The most important step you can take, however, is to plan and be ready for whatever path you want to take. A P-ATO could be beneficial for your organization in a number of ways, but there will be a tradeoff between those benefits and the time and money it might cost to achieve. If you have a potential partnership with an agency, then more likely than not you’ll be moving towards an ATO with that agency. 

The best thing you can do is to vet your 3PAO so that you’re working with a partner that can help you navigate the process. A solid 3PAO can make the work of FedRAMP authorization much, much simpler through their expertise and automation tools. 

Are you considering getting your ATO or P-ATO for federal IT and cloud provision?

Contact Lazarus Alliance, a certified FedRAMP 3PAO, at 1-888-896-7580 or through the form below to learn how we can help you navigate the process.