Are you getting lost in the morass of alphabet soup surrounding assessment and authorization? Wondering if an Authority to Operate is FISMA or FedRAMP jurisdiction?
The answer is both, but it helps to make one distinction first.
The Federal Information Security Act (FISMA) is a law. FedRAMP is a government-wide program.
Adherence to FISMA standards is required for federal agencies, departments, and contractors who are engaged in the processing or storage of federal data, whether they are a cloud service provider or not. FedRAMP, on the other hand, is reserved for CSPs who are hosting federal information in the cloud.
Both share the same security controls, as outlined by NIST special publication 800-53.
And, most importantly, both have the same end game: system authorization.
An Authority to Operate with FISMA is awarded by an authorizing agency to a provider or organization, one-on-one style. This means that an organization must maintain (and pay for) multiple ATOs at any given time.
Additionally, under FISMA, the Chief Information Officer is solely responsible for accepting cyber risks for their agency. Often, what is considered “acceptable” for one agency does not meet another’s standards.
FedRAMP’s provisional process was designed to be utilized as a one-stop shop for multiple agencies. In this scenario, any CSP that is successfully assessed can henceforth be leveraged by any government agency – or, as the program calls it, a “do once, use many times” framework.
There are two possible ways to achieve compliance through FedRAMP.
A Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO), is a thorough review, geared toward multi-tenant clouds that are broad in scope and able to be utilized by many government agencies. To achieve a JAB P-ATO, a third-party assessment organization (3PAO) performs an independent security assessment, and if the provider passes, they are awarded a Provisional Authority to Operate.
Providers can also work directly with agencies to acquire a FedRAMP Agency Authority to Operate (ATO). These authorizations are ideal for niche cloud services that may only be of use to a handful of clientele.
GovDataHosting is not only FISMA-compliant, but it is one of a select few systems that have been awarded a Provisional Authority to Operate from the FedRAMP Joint Authorization Board to provide cloud services for all federal agencies. Not only that, but we're also the only certified cloud platform offering a 100% infrastructure availability Service Level Agreement (SLA), that ensures absolute simplicity and guaranteed results for our clients.