Developing a System Security Plan (SSP) and ATO decision support package can be a daunting challenge especially as you move mission critical applications to the cloud. One way to expedite the process and benefit from the lessons learns of those who went before you is to leverage the Provisional Authority to Operate (P-ATO) documents available to Federal Security teams, Risk Managers and Authorizing Officials through FedRAMP.
Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is designed with a “do once, use many times” framework that saves cost, time, and staff required to conduct agency security assessments.
FedRAMP promotes a uniform risk management approach conforming with the Risk Management Framework. It uses a standard set of approved, minimum security controls for FISMA Low and Moderate Impact protection (an recently announced FedRAMP high controls) that are the same as those contained in NIST SP 800-53r4 and has a consistent assessment process that leads to a provisional Authority to Operate.
What is a P-ATO?
A FedRAMP P-ATO is an initial approval of the Cloud Service Provider (CSP) authorization package by the FedRAMP Joint Authorization Board that an executive department or agency can leverage to grant a security authorization and an accompanying ATO for the acquisition and use of the cloud service within their agency. The FedRAMP JAB consists of the Chief Information Officers (CIOs) from DOD, DHS, and GSA, supported by designated technical representatives (TRs) from their respective member organizations. Before granting a P-ATO, the JAB reviews the authorization package in much the same way a leveraging agency would — by reviewing the body of evidence contained in the authorization package provided by the CSP and verified by an accredited 3PAO — to make risk-based decisions regarding the use of a cloud system.
How to Leverage P-ATOs
Leveraging existing P-ATO’s are a key element in wheel reinventing prevention when preparing System Security Plans, developing cybersecurity strategies, and preparing for the assessment and authority to operate process for Federal agency information systems.
Leveraged provisional authorizations can be used when an agency chooses to accept some or all of the information in an existing authorization package generated by another agency based on the need to use the same information resources — the same platform, infrastructure, software, or any combination services. Reviewing P-ATO packages is useful in looking at alternatives and strategies for your own cybersecurity strategy and risk management framework program. It can help you make decisions on the right common and system-specific control implementation approaches, understanding how other agencies defined and controlled for risk, and how they used the features and functions of the products and services they selected to develop and implement a continuous monitoring program and make decisions on what the best combination of cybersecurity automation tools was for addressing the owning agency’s specific risk profiles.
Reviewing multiple P-ATOs may also be useful in evaluating alternative cloud solutions especially there are more and more cloud solutions options and as cloud implementations become increasingly complex as different product stacks are combined to deliver innovative solutions. P-ATOs can also be useful as you assess new technology enabling you to assess what the current baseline is in light of the requirements of new and emerging cloud-based products.
For agencies who have system security plans for their on-premises datacenter systems that are looking to move to the cloud, the ability to compare how you met ATO with your current system and compare it with how other agencies achieved P-ATO using FedRAMP has the potential to cut costs and accelerate the process of moving to the cloud.
At a more mundane but equally important level, reviewing P-ATOs provides insight into what is an acceptable level of detail when developing your ATO package and how to define and describe your own systems, controls, testing and risk assessment process.
The process is straight forward. The leveraging agency reviews the owning agency’s authorization package as the basis for determining risk to the leveraging agency. Consider risk factors such as the time elapsed since the authorization results were produced, differences in environments of operation (if applicable), the impact of the information to be processed, stored, or transmitted, and the overall risk tolerance of your agency. Determine that additional security measures are needed. You may wish to have discussions with the owning agency on their decision process and nuances of their system environment.
Cybersecurity reciprocity, leveraging existing P-ATOs, is an essential element in transitioning to the Risk Management Framework ensuring IT capabilities are developed and fielded rapidly and efficiently across the Federal information environment. Applied appropriately, leveraging P-ATOs reduces redundant testing, assessing and documentation, and the associated costs in time and resources.
Please give us call or send us an email if you’d like more information on leveraging P-ATOs and using product blueprints to accelerate moving to the cloud and receiving and maintaining authority to operate.