cloud playbook

FedRAMP playbook walks agencies through the ATO process

The Federal Risk and Authorization Management Program is designed to help federal agencies quickly gain access to cloud-based solutions. The recently released FedRAMP Agency Authorization Playbook distills five years of experience from helping agencies with issuing an authority to operate, offering step-by-step guidance and best practices.

“We’ve seen agencies contend with a dramatic increase in demand for cloud service providers in their own agencies -- this actionable playbook is an attempt to codify what we learned through our own processes and the nearly 1,000 conversations we have had with agencies and CSPs related to their FedRAMP experience over the last year,” FedRAMP Director Matt Goodrich told GCN via email. “We view the playbook as a value-add for both agencies and customers that will reduce the time and cost associated with cloud adoption.”

“This playbook provides a simple, user-friendly guide that outlines each step in the FedRAMP agency authorization process that highlights specific roles and responsibilities for each stakeholder, best practices and helpful resources to efficiently yield an agency authorization,” Goodrich added.

The playbook breaks the ATO process into three phases: preauthorization, during authorization and post-authorization.  It outlines the purposes and outcomes of the each phase, the roles for agencies, CSPs and 3PAOs, best practices and provides links to resources and templates.

The preauthorization phase starts with the establishment of partnership between the agency, the CSP, the FedRAMP program management office and the 3PAO and is followed by planning for the authorization, confirming resources and crafting a project plan with milestones, schedules and deliverables.  It also requires a clear understanding of each partner's responsibilities.

The during-authorization phase takes approximately 12 weeks and starts with kickoff meeting to discuss what is needed to complete the review process. The agency then reviews the CSP's security authorization package for overall quality and risk in addition to checking for compliance with federal requirements.

Once the review is complete, the agency works with the CSP to create a remediation plan and provides feedback to ensure that the system is at an acceptable level of risk for the agency. After issues have been resolved, the agency submits the cloud service offering package to the agency authorizing official for approval.

Once the ATO is granted, the post-authorization phase determines the next steps for continuous monitoring to ensure that the products authorized meet agency needs and can satisfy questions or concerns that arise.

The playbook is the latest effort to streamline agency cloud migrations. In July, FedRAMP changed the provisional authorization process to make it easier for cloud service providers to provide the Joint Authorization Board with key details on their products. In September, it

launched the FedRAMP Tailored program, a faster approval process for cloud service providers with low-impact software-as-a-service offerings.

“Agencies play a powerful role in expanding the number of FedRAMP-authorized cloud offerings across the federal government, and we are excited to deliver this tool to our customers,” Goodrich said.

Read the full playbook here.  

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.