Originally published at: Northern Virginia ISSA
Authors: Doug Barbin, FedRAMP Practice Leader & Bryan Graf, FedRAMP Manager and Technical Lead
A couple weeks ago, the GSA announced that Amazon Web Services (AWS) was granted a FedRAMP authority to operate (ATO) from the Department of Health and Human Services. Make no mistake – this is a great achievement and AWS deserves significant praise for achieving this milestone. The fact is – Amazon’s dedication to compliance has yet to be matched. In addition to FedRAMP, AWS undergoes all three SOC examinations (SOC 1 , SOC 2, and SOC 3) , PCI validation, ISO 27001 certification, and more.
AWS’ ATO was the first Agency ATO granted under FedRAMP and while government agencies can leverage this ATO to grant their own authorizations – what about the AWS ecosystem of CSPs that utilize the AWS platform to provide their SaaS offerings? The answer is complicated and may bring about challenges for CSP tenants of AWS trying to obtain their own authorization.
The FedRAMP program was created to accelerate the adoption of secure cloud solutions by federal agencies through reuse of assessments and authorizations. Federal agencies are required to procure services only from CSPs that have obtained an ATO. Come June of next year, this will be a hard requirement for agencies.
There are two paths for FedRAMP authorization – a Provisional Authorization or Provisional ATO from the Joint Authorization Board (JAB) or an Agency Authorization. A “FedRAMP ATO” requires an independent 3PAO assessment and use of the FedRAMP program generated reporting templates. The difference comes down to who the authorizing body is and how it can be leveraged.
Below we have listed some of the benefits and challenges of going with the JAB Provisional ATO versus an Agency ATO.
JAB Provisional ATO Benefits
- A JAB Provisional ATO is designed to be government-wide.
- The ATO can be leveraged by all federal agencies. Once a CSP obtains the ATO, agencies may review the CSP’s security package and determine if the CSP’s system meets agency needs.
- A Provisional ATO can also be leveraged by the CSP’s cloud provider tenants (or partners) that are seeking to obtain their own ATO. For example, a SaaS provider that hosts within a FedRAMP authorized IaaS provider could “carve out” that IaaS provider’s controls in their own assessment.
JAB Provisional ATO Challenges
- Really only one: length of time. At this time, there are over 100 CSPs in the queue for FedRAMP authorization. It has been reported that more than half are going the JAB Provisional ATO route. This has created a backlog of CSPs and the JAB has limited resources.
Agency ATO Benefits
- CSP that currently serve agencies have the benefit of that agency being knowledgeable about the CSP and may have undergone FISMA assessment and ATO related activities in the past. As such, the review process may be more efficient.
- Agencies will inevitably have less ATOs to process than the JAB, increasing the likelihood of getting through the ATO process faster.
- The agency ATO still appears on the GSA listing of FedRAMP compliant CSPs.
- Certain aspects of a CSP’s agency ATO may be leveraged by other agencies. Specifically, a second agency may leverage the CSPs independent assessment – performed by a 3PAO – in the process to assess the CSP to grant its own ATO to the CSP.
Agency ATO Challenges:
- An agency ATO is only applicable to one agency.
- While federal agencies can leverage other agency ATOs, other CSPs cannot. For a CSP to obtain a JAB Provisional ATO, all aspects of the CSPs system must be included in the FedAMP assessment for JAB approval. If a CSP utilizes a third party service such as an IaaS to house its system, the CSP cannot obtain a Provisional Authorization unless the third party’s IaaS system is also authorized by the JAB.
So while the AWS announcement is exciting and opens the door to government agencies, AWS tenants that offer their own cloud services will have to find either their own agency sponsor or a sponsor who is willing to accept the HHS ATO along with the SaaS provider’s authorization package. Alternatively, the CSP may have to wait for Amazon to “upgrade” to the JAB Provisional ATO route or if the PMO changes their stance and allows the HHS authorization to be leveraged. BrightLine is working with several CSPs who are going the Agency ATO route first and then moving to JAB Provisional ATO, so this path is not foreign.
Ultimately – embedded service provider relationships are complicated. How the authorizations are combined adds another layer of complexity.