Initiate-Agency checks whether CSP has existing ATO from JAB/other agency if yes ask for the SA&A package for review, if no initial a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
Apply: CSP applies to FeRAMP PMO to become FeRAMP Compliant or can be sponsored by an agency to become FeRAMP Compliant
Implement-CSP implements FedRAMP baseline security controls in accordance with their system categorization
Document- CSP develops an SSP to document controls-CMP, CP and CP Test
Assess
Categorize system
3PAO Create a Security Assessment Plan
3PAO Perform initial and periodic assessments of CSP security controls
3PAO Conduct security tests and produce a Security Assessment Report and POAM
Authorize-Agency reviews SA&A package (SAR, POAM and SSP) to other issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
Monitor
Agency and PMO staff review continuous monitoring artifacts available in the FedRAMP secure repository periodically
Make continuous monitoring artifacts available in the FedRAMP secure repository
Report-Agencies reports CSP who they think cannot meet FeRAMP requirement