Agency

  • Agencies – use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service.
  • Agencies roles in FedRAMP
    • Initiate-Agency checks whether CSP has an existing ATO from JAB/other agencies if yes, asks for the SA&A package for review, if NO initiate a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
    • Apply
    • Authorize-The agency needs to review SA&A package (SAR, POAM and SSP) to either issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
    • Monitor
      • Agency reviews continuous monitoring artifacts available in the FedRAMP secure repository periodically
  • Report– Agency reports CSP who they think cannot meet FeRAMP requirement
error: Content is protected !!