Work on your system and compliance materials inheriting from )ĭEV ->REQUESTATO(5. START -AOs request FedRAMP package-> REVIEW(2. Talk to AOs about plan to establish system on ) In this diagram, AOs stands for Authorizing Officials – people who can ATO a system.ĬONCEPT(Concept for the first system on at your agency) -> START(1. Here’s what this can look like for the first system to use at an agency. Customer ATO that inherits from ATO (ideal) The exact definition and boundary of “system” is up to your agency. How customer system ATOs workįirst, a quick definition: a customer “system” is typically an org that contains spaces (such as staging and production spaces), applications, and service instances that serve together as sub-components of the system. Here’s a template agency ATO letter (.docx). If your agency finds that the P-ATO meets their requirements, they can issue an ATO for. Any federal employee or contractor can access the package using this FedRAMP form (Package ID F1607067912). So instead, the JAB issues a pre-authorization that your agency can review, including an audited documentation package. Only your own agency has the authority to issue ATOs for systems that your agency uses or operates. The JAB does not have the authority to issue an ATO for a system at your agency. It’s normal and expected that this is a “Provisional” ATO. In precise terms, it is a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB). What’s a FedRAMP Provisional ATO?Ĭ has a FedRAMP Authorization. All agencies handle the ATO process in their own way, so you should talk with your agency’s security compliance specialists, but this can give you a broad overview. This is an outline of a typical ATO process for a customer system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |