PAGE www.fedramp.gov

Agency ATO Quick Guide

1

May 1, 2015

www.fedramp.gov

PAGE www.fedramp.gov 2

• The agency ATO process should follow the FedRAMP Security Assessment Framework (SAF)

• The SAF is based on the NIST Risk Management Framework

• The FedRAMP Security Assessment Framework is a available at FedRAMP.gov on the Templates and Key Documents webpage

Assessment Process

PAGE www.fedramp.gov 3

• ATO Packages submitted to FedRAMP should have the following FedRAMP templates included. The PMO will check these documents for completeness

• FedRAMP Templates are available at FedRAMP.gov on the Templates and Key Documents webpage

• We suggest that you use the Test Cases that we released in Excel format for public comment: http://cloud.cio.gov/document/rev-4-test-case-workbook

• Security Assessment Plan (SAP)

• Test Case Workbook• Security

Assessment Report (SAR)

• Plan of Action and Milestone (POA&M)

Document Check List – FedRAMP Templates

FedRAMP Templates Available:• FIPS 199• Control

Implementation Summary (CIS)

• System Security Plan

• Security Policies and Procedures

• E-Authentication Template

• Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA)

• Rules of Behavior (ROB)

• IT Contingency Plan

PAGE www.fedramp.gov 4

• The Agency ATO Packages submitted to FedRAMP should have the following documents included. The PMO will check these documents for completeness

• The documents listed on this slide do not have an FedRAMP template

Document Check List – Documents without a FedRAMP Template

No Templates Available:• Security Policies and Procedures• Business Impact Analysis• Configuration Management Plan• Incident Response Plan• User Guide

PAGE www.fedramp.gov 5

• Included with the authorization package should be an Authorization Letter and ATO Memo detailing your agency’s authorization.

• A sample Authorization Letter is attached below:

• You can find the Sample FedRAMP ATO Memo Template at FedRAMP.gov on the Templates and Key Documents webpage

Sample ATO Letter Template

Memorandum To: <system owner name>

Date: <date>

Subject: FedRAMP Agency ATO Recommendation for <package>

<3PAO name>, a FedRAMP accredited Third Party Assessment Organization (3PAO), conducted a security assessment of the <agency name>’s <package name> information system. This assessment was conducted at the FIPS-199 <moderate/high> impact level in accordance with Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources; NIST Special Publication 800-37 R1, Guide for Applying the Risk Management Framework to Federal Information Systems ; and the FedRAMP Security Authorization Process. The security assessment package was submitted as an “Agency ATO Package” under FedRAMP guidelines on <submission date>. As such, the FedRAMP Program Management Office has reviewed the package for completeness and to ensure that it meets basic FedRAMP standards, but has not made any assessment of risk. The <agency name> granted <system name> an Authority to Operate (ATO) on <ato letter date>.

Summary of System Description

<insert system description data from SSP>

Click the letter to open it.