cloud checklist

FedRAMP issues playbook for CSPs

To help cloud service providers to get  approval from the Federal Risk and Authorization Management Program for their services, the FedRAMP program office is offering an inside look at the authorization process. Released April 3, the first volume of the CSP Authorization Playbook: Getting Started with FedRAMP explains the authorization process and offers tips on authorization strategy.

CSPs can get authority to operate from either an agency or from the Joint Authorization Board (JAB). Providers must demonstrate that their service is operational or under development and that there is agency demand for their solution.

A successful authorization strategy includes:

  • Choosing between a broad authorization via the JAB or targeting a narrower use case with a single-agency ATO.
  • Establishing relationships with agencies through existing contracts or potential opportunities.
  • Deciding on an offering's impact level based on the security requirements of the data.
  • Determining what part of the federal government the offering will target: federal government-only cloud, government-only cloud, Department of Defense cloud, public cloud or private cloud.

CSPs must determine whether their offerings are software-as-a-service, platform-as-a-service or infrastructure-as-a-service solutions, and define a “system stack” that determines the underlying infrastructure and platform requirements within authorization boundaries.

The playbook also breaks down the phases of the different processes for JAB and agency authorizations.  Both processes end with the monitoring efforts that continue after the authorizations are approved to ensure security procedures are still being observed.

According to the playbook, the level of effort and cost associated with authorization depends on the CSP's commitment to providing efficient project management, complete documentation and support and advisory services for technical expertise and assessments. Successful CSP authorizations have teams staffed with individuals experienced in project management, customer relationship management, system architecture and engineering, technical writing and communications, the playbook advises.

This CSP Authorization Playbook is the first volume of a three-volume set.  The second volume will cover the authorization process and the third will detail post-authorization activities, such as continuous monitoring and agencies leveraging a CSP authorization. It is designed to complement the Agency Authorization Playbook that was released in December.

The first volume of the CSP playbook can be found here.


About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


Charter Sponsors