Achieving Cloud Application ATOs with Oracle

What is an Authority to Operate?

All federal information systems must be granted an Authority to Operate (ATO) before being placed into production status. An ATO is issued when an information system has been assessed and the Agency Authorizing Official (AO)—a senior official that is often the CIO—has explicitly accepted the risk to operations (including mission, functions, image, and reputation), assets, individuals, and other organizations. The ATO is granted by the AO, and each agency determines the ATO criteria for their information systems, although the National Institute of Standards and Technology has provided guidance with the Risk Management Framework (RMF) process. These procedures and guidance are derived from the Federal Information Security Modernization Act.

When conducting risk assessments and granting ATOs for information systems that use cloud service offerings, agencies can use the Federal Risk Authorization and Management Program (FedRAMP). FedRAMP enables agencies to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a governmentwide scale. The FedRAMP provisional ATO (P-ATO) provides AOs with evidence that particular security controls have been met so they don’t have to repeat the RMF steps for those specific controls. FedRAMP P-ATOs can be granted by either the Joint Authorization Board (JAB) or through an agency.

The U.S. Defense Department (DOD) Defense Information Systems Agency Cloud Computing Security Requirements Guide defines the information Impact Levels 2, 4, 5, and 6 for DOD missions as well as the additional steps DOD organizations must take to achieve their ATOs.

Oracle Cloud FedRAMP High P-ATO

All of Oracle’s IaaS and PaaS services available1 in the Oracle Government Cloud have FedRAMP High Provisional Authorization, as shown in the FedRAMP marketplace. As mentioned, the ATO the JAB issues to cloud service organizations is provisional because only the agency itself has the authority to issue a final ATO for their information systems. The implementation, testing, and documentation of controls will be assessed by the agency before the Agency AO issues an ATO, but the P-ATO greatly simplifies and speeds up the process.

FedRAMP eliminates duplicative efforts by providing a common security framework for federal agencies to review their security requirements against a standardized baseline. A cloud service provider undergoes the assessment and authorization process for each cloud service offering (CSO), and after achieving P-ATO for their CSO, the security package can be reused by any federal agency as part of their ATO process. The FedRAMP security package for Oracle’s U.S. Government Cloud can be reused to reduce an agency’s administrative burden and shorten the ATO process by “inheriting” IaaS and PaaS P-ATO High JAB authorizations.

1 Upon agency request, certain services that have completed third-party assessment but are not yet FedRAMP authorized may be made available while the services await final authorization.

Achieving Agency ATO

The ATO process varies by agency and may include requirements, processes, standards, and procedures that differ from the information provided here. However, at a high level, the Agency ATO process with Oracle Cloud service offerings has five steps.

  1. The agency information security personnel can request Oracle’s audited security documentation package, issued by the JAB, using the Package Access Request Form (PDF) on the FedRAMP marketplace and Package ID FR1900048743.
  2. Upon receipt of the request, Oracle will set up a virtual reading room with secure access to the security documentation package, which includes the System Security Plan, Security Assessment Plan, Security Assessment Report, and Plan of Action and Milestones. This documentation is extremely sensitive and subject to a confidentiality agreement. The agency is not permitted to retain, copy, or distribute the contents of the security package outside of the virtual reading room.
  3. Agency information system personnel may reach out to the Oracle compliance team or the FedRAMP Program Management Office with any questions.
  4. The AO reviews and documents any additional security controls for their specific application—beyond the FedRAMP controls assessed as part of Oracle’s JAB P-ATO.
  5. The AO conducts a final review of the combined authorization package. If these meet their security requirements, the Agency AO issues an ATO. Templates are available on

ATO assistance from Oracle Partners

Oracle has several partner organizations that are familiar with the ATO process and can assist agencies with the steps required to achieve their ATO. Visit the following websites for more information about these partners.