Leveraging the Provisional Authorization
Federal agencies are required by FISMA to individually accept the risk and grant the ATO before placing any Agency Data into a system. The Federal Risk and Authorization Management Program leveraging authorization process details how agencies can use the program Provisional Authorizations and the secure repository to grant an ATO in accordance with FISMA. Agencies must use the program when granting an ATO for a cloud service. A high level illustration of the leveraging the authorization process is found below.
One of the primary benefits of the program is the ability for agencies to reuse the Provisional Authorizations granted by the JAB and to leverage the work that has been completed. Agencies can review the CSP’s application of security control implementations, including evidence of the implementation of these controls. Additionally, agencies can review any existing vulnerabilities and risk mitigations plans for the cloud service represented by the package.
Part of the review of the assessment package requires Federal agencies to understand the control responsibility. The CIS (detailed in the security assessment process) will clearly delineate the control responsibility between the CSP, Federal agency, or hybrid (shared responsibility). The responsibility for security control implementation varies by cloud deployment model and is detailed below.
After reviewing the security assessment package and the accompanying Provisional Authorization, Agencies can then grant an ATO under their own authority.
Secure Repository
The PMO maintains a secure repository of security assessment packages that Federal agencies can leverage. The repository will hold assessment packages in four different categories and will includes information about how to review current versions of the security assessment package.
The different categories of assessment packages offer flexibility for Federal agencies and CSPs to allow for unique leveraging of security assessments. When reviewing security assessment packages, agencies will come to understand the level of review the security assessment package has received, as well as the risk exposure associated with the cloud service.
CSP Supplied
The CSP will self-supply a security assessment package using the Federal Risk and Authorization Management Program process. The CSP will follow the security assessment process utilizing internal ISSOs and an accredited 3PAO. The PMO office reviews the package for completeness and will ensure that all the documents and templates were used as required, however, neither the JAB nor a Federal agency has made a risk based decision about the security control implementations.
Level of Review: None
Assessment of Risk: Utilized an accredited 3PAO annually based on the security assessment anniversary date
All materials in the CSP supplied security assessment packages must be timely so the PMO will require CSPs to re-submit all assessment materials at the time of the CSP’s annual self-attestation SDOC letter.
Agency ATO
Agencies must use the Federal Risk and Authorization Management Program process as a framework to grant an ATO when they wish to use a cloud service that is not in the secure repository. Federal agencies must follow the security assessment process (using all accompanying templates and guidance) utilizing internal Agency ISSOs. In this category, Federal agencies did not use an accredited 3PAO. However, Federal agencies will be required to submit an attestation describing the independence and technical qualifications of the 3PAO utilized to assess that CSP package. Agencies must submit to the PMO complete authorization packages with accompanying ATO letter.
Level of Review: Federal agency has granted an ATO
Assessment of Risk: Did not use an accredited 3PAO
Federal agencies will ensure the PMO is provided with any updates to a CSP authorization package annually. Without an accredited 3PAO, these authorizations will not be eligible for JAB review and Provisional Authorization.
Agency ATO with Accredited 3PAO
Agency ATO with accredited 3PAO meets the same requirements as Agency ATO in section 7.1.2 except that an accredited 3PAO was used in the assessment of a CSP package.
Level of Review: Federal agency has granted an ATO
Assessment of Risk: Utilized an accredited 3PAO
Federal agencies will ensure the PMO is provided with any updates to a CSP authorization package annually.
JAB Provisional Authorization
JAB Provisional Authorizations are designations given to security authorization packages that have gone through the Federal Risk and Authorization Management Program assessment process and are authorized by the JAB as detailed in Section 6. Any subsequent Agency ATO that leverages the Provisional Authorization will be listed in addition to the JAB ATO to provide agencies with knowledge of the full level of Federal Government review of authorization packages.
Level of Review: JAB has granted a Provisional Authorization
Assessment of Risk: Utilized an accredited 3PAO
The CSP must supply to the PMO an annual self-attestation SDOC letter annually. Additionally, the JAB will review all JAB Provisional Authorizations without Agency ATO at the time of annual self-attestation to determine if they wish to maintain the JAB Provisional Authorization.