Authorizations and Audits: Cloud Services with FedRAMP JAB P-ATOs, What’s Next?

Authorizations and Audits: Cloud Services with FedRAMP JAB P-ATOs, What’s Next?

By Jeffrey Wasilewski

Imagine a Federal agency with aging, legacy information systems. The agency is looking for ways to modernize its information technology (IT) environment while maximizing its operational and information security resources. These are common circumstances in recent years, which are likely to continue into the foreseeable future.

Many agencies faced with these challenges of IT modernization and resource constraints have elected to purchase and use Cloud Service Offerings (CSO) from Cloud Service Providers (CSP) on the Federal Risk and Authorization Management Program (FedRAMP) Marketplace. Examples of CSOs found on the FedRAMP Marketplace include Amazon Web Services, Inc. (AWS) GovCloud, Microsoft (MS) Azure Government Cloud, IBM Cloud for Government (IC4G), and ServiceNow Government Community Cloud (GCC).

Federal agencies, including those that purchase CSOs, are subject to regular information security audits, such as the annual Federal Information Security Modernization Act of 2014 (FISMA) audits. It is important to know that if an agency chooses a CSO from the FedRAMP Marketplace with a Provisional Authority To Operate (P ATO) from the Joint Authorization Board (JAB), the agency’s Authorizing Official needs to separately issue an authorization to operate (ATO) to pass its audit.

Questioning whether and why an agency must grant an ATO when electing to use a CSO with a FedRAMP JAB P ATO is common. With more and more agencies migrating to cloud solutions as part of ongoing modernization efforts, let us explore some of the confusion driving these questions, as well as provide supporting information to clarify the ATO requirement.

Misconception with JAB P-ATO FedRAMP Authorizations

There is a misconception in the Federal space that agencies do not need to develop agency-specific security documentation and issue agency specific ATOs when purchasing CSOs with JAB P ATOs. A JAB P-ATO indicates the CSO is acceptable for use across the Federal Government. A primary driver of this misconception is terminology: many stakeholders refer to CSOs with P ATOs in colloquial terms as being “FedRAMP authorized.” Why authorize the authorized, right?

Also, a “FedRAMP authorized” CSO has a FedRAMP Security Package that is readily available for purchasing agencies through an access request form. A FedRAMP Security Package comprises numerous security-related documents supporting the security controls implemented by the CSP that a third party has independently assessed. The availability and content of the documentation within the FedRAMP Security Package is a secondary driver of this misconception. Why not pass the FedRAMP Security Package, including the signed JAB P-ATO, on to your auditors, right? Wrong. Unfortunately, the FedRAMP Security Package may not be sufficient to pass a security audit. So why must agencies “authorize the authorized?” Let us examine the requirement for agencies to authorize their information systems and accept the risk of operating the systems through the issuance of ATOs.

Agency Requirement for Issuing ATOs and Why a JAB P-ATO is Insufficient

Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource, requires agencies designate a senior agency official (or officials) as Authorizing Official(s) to individually authorize the operation of information systems and explicitly accept the risk of operating the information systems based on the implementation of security and privacy controls. OMB Circular A-130 references the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Revision (Rev.) 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, which provides agencies with a roadmap to authorizing information systems to operate, including guidance regarding the development of agency-specific security documentation. The differences between agency-developed security documentation and documents within a FedRAMP Security Package will be detailed further in the next section.

Why might a JAB P-ATO not satisfy the OMB authorization requirement? In short, although the JAB, through the issuance of a P ATO, has determined that a CSP’s CSO is acceptable for use across the Federal Government, the JAB cannot accept risk on behalf of a Federal agency. In addition, the JAB does not have insight into the effectiveness of a purchasing agency’s implementation and operation of security controls for which the CSP may have identified as either the sole responsibly of a purchasing agency or a shared responsibly. CSP’s include information regarding control responsibility in the FedRAMP Security Package, which brings us to the key differences between the documents in that package and agency-developed security documentation: the focus of responsibility and risk.

What’s Next? Leveraging a JAB P-ATO and FedRAMP Security Package for Agency-Issued ATOs

Agencies considering the purchase and implementation of a CSO should request and review the associated FedRAMP Security Package. Agencies should coordinate with their vendors/providers, etc. to ensure efficiencies, as well as avoid implementation delays and unnecessary risks. Agencies should also pay close attention to the Cloud Implementation Summary Workbook and the Customer Responsibility Matrix to understand how to implement customer (purchasing agency) responsibilities.

The implementation of security controls that are the responsibility, whether in part or in full of the purchasing agency, provides one key basis for an agency’s need to develop its own security documentation. Specific actions taken by a purchasing agency to design and implement security controls cannot be provided by the CSP, will not be addressed in the FedRAMP Security Package, and are not considered as part of the JAB’s decision to grant a P ATO. As a result, a purchasing agency should follow its agency-designed process for issuing ATOs based on the implementation of security and privacy controls and development of related security documentation in accordance with NIST SP 800 37, Rev. 2. As required by NIST SP 800-37, Rev. 2, and FedRAMP’s Continuous Monitoring Strategy Guide, agencies should continue to monitor the effectiveness of all CSP-implemented and agency implemented controls after ATO issuance.

In Summary: CSO Authorizations and Audits

When subjected to an information security audit, an agency that purchases a CSO with a JAB P-ATO should provide its auditors with both the CSP’s security documentation from the FedRAMP security package, as well as agency-specific security documentation. This consolidated documentation, which includes both a JAB P-ATO and an agency-issued ATO, addresses the identification and acceptance of both the CSP’s risk in developing and delivering the CSO, as well as the agency’s risk in using the CSO. FedRAMP provides a cost effective, risk-based opportunity for an agency to adopt the use of modern cloud technologies; however, a purchasing agency must understand that FedRAMP does not absolve the agency of all responsibility. Accordingly, to pass an audit, an agency must provide auditors with evidence from both FedRAMP and the agency’s authorizing official that supports the agency’s understanding of the shared responsibility for security controls, as well as the key roles of both a P-ATO and an agency issued ATO in maintaining effective implementation and use of a CSO.

Connect with us:
This publication is for informational purposes only and does not constitute professional advice or services, or an endorsement of any kind. Readers should first consult with a professional before acting with regard to the subjects mentioned herein.

Kearney & Company, P.C. (Kearney) is a Certified Public Accounting (CPA) firm that focused on providing accounting and consulting services to the Government.