Top 10 Things CSPs Need to Know about FedRAMP Authorization on Amazon Web Services

Jennifer Tonisson, Partner Marketing Manager, Technology & Cloud, Coalfire

Coalfire conducted a webinar, FedRAMP on AWS: What you need to know. The discussion covered what cloud service providers need to know when pursuing FedRAMP authorization leveraging AWS U.S East/West or GovCloud. Below you’ll find the Top 10 things that cloud service providers should know.

  1. What is FedRAMP Provisional Authority to Operate (P-ATO)?


    The Federal Risk and Authorization Management Program (FedRAMP) establishes cybersecurity requirements for low- (through FedRAMP Tailored), moderate- and high- impact system levels for cloud service providers (CSPs) delivering to the federal market.  The Joint Authorization Board (JAB) or FedRAMP agency can grant either a P-ATO or an Agency level ATO respectively to a CSP after the CSP completes a full security assessment. The P-ATO or ATO is granted according to a risk-based framework that analyzes how a vendor has implemented the security controls within their IT environment.

  2. Why should I consider getting FedRAMP ATO?


    The government’s Cloud First policy requires federal agencies to use FedRAMP authorized solutions whenever possible to reduce costs and streamline IT procurement.  As a result, federal agencies favor FedRAMP authorized CSPs over those that do not have this designation. In fact, many government contracts for cloud services require the submitting parties to have a FedRAMP P-ATO or Agency ATO as a requirement.  FedRAMP authorization will give you an advantage over your competitors and help you win business in the public market.

  3. What is a Third-Party Assessment Organization (3PAO) and why do I need one?


    While FedRAMP authorization is not achieved by a traditional assessment alone, the final step in earning your FedRAMP ATO is verification by an independent assessor. The government requires that a Third-Party Assessment Organization (3PAO) verify that your cybersecurity controls are valid and effective. This step should be done last. If the independent assessor finds that your controls are not effective, you will not earn your ATO and will need to have the controls retested to ensure you meet the requirements.

  4. How do I prepare before my independent assessment?


    Employ a trusted cybersecurity firm with extensive knowledge about NIST assessments and cloud environments as your FedRAMP Advisor. A qualified FedRAMP Advisory team will conduct a gap analysis against FedRAMP required documentation and control implementations for either a FedRAMP Readiness Assessment or for pursuit of FedRAMP with a sponsoring Agency.


    If you’re pursing the FedRAMP JAB P-ATO route, the required first step is a Readiness Assessment to review your technological capabilities to meet the FedRAMP security controls. the resulting Readiness Assessment Report (RAR), the 3PAO, in conjunction with the FedRAMP PMO will make recommendations for improvements and let you know what changes you need to make in order to make your products and/or services meet the FedRAMP Ready requirements. Successful Readiness Assessments result in the CSP being labeled as “FedRAMP Ready” a marketable designation to the marketplace that the CSP is pursuing a FedRAMP P-ATO and prioritized by the FedRAMP JAB to move them through the FedRAMP authorization process.

  5. How do I choose a FedRAMP Advisor and FedRAMP Assessor?


    Do your research.  It’s important to find a cybersecurity firm with a strong track record of FedRAMP experience. The FedRAMP Marketplace maintains a listing of 3PAOs for review. For example, Coalfire has conducted more than 500 FedRAMP Advisory and Assessment projects. Actually the very first FedRAMP JAB approval and the first FedRAMP Agency approvals were conducted by Coalfire. Make sure that whatever firm you choose, you vet their experience with FedRAMP.  It’s important to note that you cannot choose the same firm to be your advisor and your assessor.  In order to execute a fair validation, your assessor must be entirely independent and impartial.  

  6. How does Amazon Web Service (AWS) make the process of FedRAMP ATO easier?


    AWS has already received FedRAMP Agency ATO for GovCloud and US East/West infrastructures at the moderate impact level including a number of their products and services. GovCloud for High-impact level systems (and by association Moderate level as well) has received a JAB P-ATO.  This doesn’t mean that you don’t need to do any work to earn FedRAMP ATO.  It does mean that if you are using these AWS products or services, you can leverage the work that AWS has already done to make the process easier. This is called Control Inheritance.  AWS also offers add-on products and services which can help you manage security controls assessed for FedRAMP authorization.  Your responsibility for monitoring security controls doesn’t end with earning your FedRAMP ATO.  You’ll need to maintain these controls and get an assessment annually to retain your certification.

  7. What is the difference between the GovCloud and US East/West route to achieve FedRAMP authorization?


    CSPs using Amazon Web Services have two different AWS service options for FedRAMP authorization.  AWS GovCloud is specific for government agencies and CSPs doing business with the government agencies:  federal, state and local. AWS GovCloud is  available via the JAB and Agency authorization paths.  US East/West can be used by all CSPs including government agencies and is only available via the Agency authorization path.  There are many factors to consider based on your ecosystem.  A FedRAMP advisor can help you decide which path is right for you.  

  8. Should I pursue Joint Authorization Board (JAB) or Agency authorization?


    This is an important decision for all CSPs interested in FedRAMP authorization. The answer is different for everyone and needs to consider any infrastructure currently in-place to deliver services. An infrastructure-as-a-Service provider with an existing authorization will most likely determine the authorization path you must take.  Before deciding you should seek the counsel of a FedRAMP advisor.


    That said, the majority of providers find that an agency authorization is the most appropriate route as there is usually a line of business with a particular agency.  If your cloud was designed specifically for use by one or two government agencies, then agency authorization will likely be a better fit.  If your cloud system is multi-tenant and has a wide variety of capabilities, you may want to pursue JAB authorization.

  9. How can I learn more about FedRAMP and cybersecurity?

  10. Who are the key FedRAMP organizations involved in the ATO process?

    General Services Administration (GSA) – Provides assistance to the public, federal employees and vendors

    FedRAMP Program Management Office (PMO) – Housed within the GSA, this organization is responsible for operational management.  

    National Institute of Standards and Technology (NIST) – Maintains Federal Information Security Management (FISMA) standards, and establishes technical standards

    Department of Homeland Security (DHS) – Monitors and reports on security incidents and provides data for continuous monitoring

    Joint Authorization Board (JAB) – Performs rigorous technical reviews of CSP authorization packages for FedRAMP compliance and grants the provisional ATO (P-ATO); members are the CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and Department of Defense (DOD)

    Agencies – Use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service

FedRAMP authorization is a complex process.  Coalfire would be happy to help you navigate the Advisory and Assessment process and determine which path to FedRAMP is most appropriate for you.  You can contact us at Coalfire.  

Jennifer Tonisson


Jennifer Tonisson — Partner Marketing Manager, Technology & Cloud, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS