All federal information systems must be granted an Authority to Operate (ATO) before being placed into production status. An ATO is issued when an information system has been assessed and the Agency Authorizing Official (AO)—a senior official that is often the CIO—has explicitly accepted the risk to operations (including mission, functions, image, and reputation), assets, individuals, and other organizations. The ATO is granted by the AO, and each agency determines the ATO criteria for their information systems, although the National Institute of Standards and Technology has provided guidance with the Risk Management Framework (RMF) process. These procedures and guidance are derived from the Federal Information Security Modernization Act.
When conducting risk assessments and granting ATOs for information systems that use cloud service offerings, agencies can use the Federal Risk Authorization and Management Program (FedRAMP). FedRAMP enables agencies to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a governmentwide scale. The FedRAMP provisional ATO (P-ATO) provides AOs with evidence that particular security controls have been met so they don’t have to repeat the RMF steps for those specific controls. FedRAMP P-ATOs can be granted by either the Joint Authorization Board (JAB) or through an agency.
The U.S. Defense Department (DOD) Defense Information Systems Agency Cloud Computing Security Requirements Guide defines the information Impact Levels 2, 4, 5, and 6 for DOD missions as well as the additional steps DOD organizations must take to achieve their ATOs.
All of Oracle’s IaaS and PaaS services available1 in the Oracle Government Cloud have FedRAMP High Provisional Authorization, as shown in the FedRAMP marketplace. As mentioned, the ATO the JAB issues to cloud service organizations is provisional because only the agency itself has the authority to issue a final ATO for their information systems. The implementation, testing, and documentation of controls will be assessed by the agency before the Agency AO issues an ATO, but the P-ATO greatly simplifies and speeds up the process.
FedRAMP eliminates duplicative efforts by providing a common security framework for federal agencies to review their security requirements against a standardized baseline. A cloud service provider undergoes the assessment and authorization process for each cloud service offering (CSO), and after achieving P-ATO for their CSO, the security package can be reused by any federal agency as part of their ATO process. The FedRAMP security package for Oracle’s U.S. Government Cloud can be reused to reduce an agency’s administrative burden and shorten the ATO process by “inheriting” IaaS and PaaS P-ATO High JAB authorizations.
1 Upon agency request, certain services that have completed third-party assessment but are not yet FedRAMP authorized may be made available while the services await final authorization.
The ATO process varies by agency and may include requirements, processes, standards, and procedures that differ from the information provided here. However, at a high level, the Agency ATO process with Oracle Cloud service offerings has five steps.
Oracle has several partner organizations that are familiar with the ATO process and can assist agencies with the steps required to achieve their ATO. Visit the following websites for more information about these partners.