FedRAMP®
No ATO Letter on File, No Problem
It used to be the case that if a Cloud Service Provider (CSP) no longer had an active Authority to Operate (ATO) letter on file, that the FedRAMP PMO would begin the process of removing that CSP from the FedRAMP Marketplace. FedRAMP requires that each product listed on their Marketplace have a letter from an Agency that acknowledges the security and compliance responsibilities of those involved. With the JAB gone and the PMO no longer performing ConMon, this has put several CSPs in a challenging spot. Thankfully, FedRAMP is addressing this problem with a new model that allows CSPs to stay on the Marketplace, so long as certain conditions are met
So, what are those new conditions?
- Submit Monthly ConMon Deliverables
- Conduct Annual Assessment
- Deliver Risk Briefing
CSPs should continue to do their ConMon and share that documentation to a secure repository. They should also continue working with a 3PAO to perform annual assessments. Once a CSP gets the commitment from an Agency to issue an ATO letter for their product, they should be ready to brief that Agency on their current risk posture and answer any questions from their ConMon and annual assessment activities.
The old process presented a challenge as there are numerous CSPs out there that have multiple federal agency customers, however not all agencies issue an ATO letter. By doing so, it acknowledges that the agency is taking a formal position in performing continuous monitoring oversight that they may not have been ready to fully commit to. There are often situations where there is only a single ATO letter on file. If this single letter was not updated or if the letter was rescinded, it puts the CSP in a position of needing to plead to existing agency customers or seek out new ones that are willing to issue an ATO letter to save the CSP’s Marketplace listing.
Keeping an active Marketplace listing is crucial, as the only way to get re-listed is to go through the entire authorization process again. This means needing to perform all the authorization steps with no recognition for the work previously completed. With the new model in place, CSPs will be able to keep their Marketplace designation while seeking out new agencies to issue ATO letters and fall into that oversight role.
FedRAMP will be adding new language to “FedRAMP Authorized” Marketplace listings who are impacted by having no ATO letters on file. This language will be placed within the Additional Information field and reads as follows:
“This cloud service offering lacks continuous monitoring oversight from FedRAMP or any federal agency. Agencies considering using this service should review the Cloud Service Provider's security documentation in their secure repository, directly coordinate with the CSP, and conduct their own evaluation before making an Authority to Operate (ATO) decision. Once an agency issues an ATO, agencies should submit their ATO letters to FedRAMP.”
This change marks a major improvement for all parties involved. CSPs can worry less about falling back to square one as the result of having no ATO letters on file. 3PAOs can continue to perform assessment work that provides valuable information on CSP risk posture. Federal agency customers will have visibility to products that have been vetted through prior authorization. Lastly, the FedRAMP PMO will operate more efficiently by not having to perform redundant review activities on these Cloud Service Offerings (CSO).