The Difference Between ATO and P-ATO FedRAMP Authorization
For so many organizations, especially government agencies, it can feel like compliance requirements are increasing each day. It can be a challenge to keep up with all the necessary requirements Cloud Service Providers must meet. FedRAMP is one such requirement.
There are two types of FedRAMP, or The Federal Risk and Authorization Management Program, authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO). Both the ATO and the P-ATO place a particular focus on cloud service providers having the appropriate security measures in place to protect sensitive data. This is especially vital for government agencies who are required to only use service providers with the appropriate authorizations.
It is also important to learn more about the body that supplies the provisional ATO. The JAB consists of the chief information officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA) and is supported by technical representatives from all respective member organizations. The JAB acts as an authorization body that can conduct security assessments and ensure the appropriate measures are in place to protect data.
If you want to work with a cloud service provider that is FedRAMP ATO or P-ATO compliant, it’s important to understand the reason they are aligning with these compliance standards. Data is more vulnerable than ever, especially data used by the government and its agencies. These are common targets for data breaches, and it’s important that all necessary action is taken to protect that data.
Choosing to work with a cloud service provider is an important decision for your agency, making it imperative that you are also familiar with the authorization process.
ATO vs. P-ATO FedRAMP Authorization
So, what are the precise differences between an Agency FedRAMP ATO and P-ATO? There’s more to their differences than just the word “provisional”. These two types of authorizations have different requirements and must be treated differently by government agencies. Let’s look at these ATO and P-ATO status requirements to gain a better understanding of which partner is right for you.
Authority to Operate
For an organization to earn its FedRAMP authorization, they must go through a strenuous authorization process. FedRAMP suggests that any cloud service provider interested in pursuing a FedRAMP authorization for their cloud service offering should start by establishing an authorization strategy that addresses each of these four distinct stages.
These four authorization phases include:
- Partner Establishment
- Full Security Assessment
- Authorization Processes
- Continuous Monitoring
Let’s take a closer look at each phase for a better understanding of the ATO authorization process.
First, the cloud service provider works with the assigned agency sponsor. This sponsor is tasked with reviewing the company’s security package, conducting an assessment, and identifying areas in which adjustments need to be made. After the security assessment, the head of an agency grants the ATO.
Full Security Assessment
One specific designation that should be remembered is that a FedRAMP ATO is only applicable for the agency that granted the authorization. This means if the cloud service provider wants to work outside that agency, with a different governmental agency, they must go through another stage of the authorization process.
So, because an ATO is not a blanket authorization, agencies should remember this when searching for cloud service providers. After a cloud service provider has its authorization and other agencies want to work with them, each agency will evaluate the ATO for themselves. They will assess the authorization package compared to their own security requirements to determine if this cloud service provider meets their needs. If so, they can work with the cloud service provider free of worry.
Finally, continuous monitoring must be conducted to ensure security measures are still operating effectively. Each month, cloud service providers must submit a set of monitoring deliverables to the different agency partners who use their services. They also must conduct an annual security assessment of their entire operation to ensure they’re in alignment with current and new security requirements to maintain their FedRAMP ATO.
Provisional Authority to Operate
A FedRAMP P-ATO can be viewed as the first step for a cloud service provider toward earning a FedRAMP ATO. When a cloud service provider has a P-ATO, they have received initial approval from the JAB, allowing the agency to work with them. To earn a P-ATO, a service provider must be reviewed by the JAB and receive a provisional authorization.
While the JAB is made up of representatives from the DoD, the DHS, and the General GSA, this board does not assume the risk for any federal agency. Instead, JAB does represent all federal agencies in the quest to obtain secure working relationships with cloud service providers. The JAB may vet a cloud service provider and grant them a P-ATO, but it is still up to the individual agencies to grant authorizations themselves.
There is a significant benefit to earning a P-ATO issued by the JAB for cloud service providers. Because service providers must meet the most stringent FedRAMP authorization requirements, further evaluation of security measures is not necessary. So, agencies won’t need to do their own security risk assessments before granting an ATO. They can trust all the essential measures are in place.
If you are an agency interested in working with a cloud service provider, it’s important to have an in-depth understanding of both the ATO and P-ATO process. Only then can you maintain FedRAMP compliance, and ensure sensitive data is secure.
Learn more about government standards in relation to data protection. Download this free ITAR compliance guide now.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.