page agency ato quick guide 1 may 1, 2015
TRANSCRIPT
PAGE www.fedramp.gov
Agency ATO Quick Guide
1
May 1, 2015
www.fedramp.gov
PAGE www.fedramp.gov 2
• The agency ATO process should follow the FedRAMP Security Assessment Framework (SAF)
• The SAF is based on the NIST Risk Management Framework
• The FedRAMP Security Assessment Framework is a available at FedRAMP.gov on the Templates and Key Documents webpage
Assessment Process
PAGE www.fedramp.gov 3
• ATO Packages submitted to FedRAMP should have the following FedRAMP templates included. The PMO will check these documents for completeness
• FedRAMP Templates are available at FedRAMP.gov on the Templates and Key Documents webpage
• We suggest that you use the Test Cases that we released in Excel format for public comment: http://cloud.cio.gov/document/rev-4-test-case-workbook
• Security Assessment Plan (SAP)
• Test Case Workbook• Security
Assessment Report (SAR)
• Plan of Action and Milestone (POA&M)
Document Check List – FedRAMP Templates
FedRAMP Templates Available:• FIPS 199• Control
Implementation Summary (CIS)
• System Security Plan
• Security Policies and Procedures
• E-Authentication Template
• Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA)
• Rules of Behavior (ROB)
• IT Contingency Plan
PAGE www.fedramp.gov 4
• The Agency ATO Packages submitted to FedRAMP should have the following documents included. The PMO will check these documents for completeness
• The documents listed on this slide do not have an FedRAMP template
Document Check List – Documents without a FedRAMP Template
No Templates Available:• Security Policies and Procedures• Business Impact Analysis• Configuration Management Plan• Incident Response Plan• User Guide
PAGE www.fedramp.gov 5
• Included with the authorization package should be an Authorization Letter and ATO Memo detailing your agency’s authorization.
• A sample Authorization Letter is attached below:
• You can find the Sample FedRAMP ATO Memo Template at FedRAMP.gov on the Templates and Key Documents webpage
Sample ATO Letter Template
Memorandum To: <system owner name>
Date: <date>
Subject: FedRAMP Agency ATO Recommendation for <package>
<3PAO name>, a FedRAMP accredited Third Party Assessment Organization (3PAO), conducted a security assessment of the <agency name>’s <package name> information system. This assessment was conducted at the FIPS-199 <moderate/high> impact level in accordance with Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources; NIST Special Publication 800-37 R1, Guide for Applying the Risk Management Framework to Federal Information Systems ; and the FedRAMP Security Authorization Process. The security assessment package was submitted as an “Agency ATO Package” under FedRAMP guidelines on <submission date>. As such, the FedRAMP Program Management Office has reviewed the package for completeness and to ensure that it meets basic FedRAMP standards, but has not made any assessment of risk. The <agency name> granted <system name> an Authority to Operate (ATO) on <ato letter date>.
Summary of System Description
<insert system description data from SSP>
Click the letter to open it.