Leveraging an Authorization
The PMO will maintain a repository of FedRAMP Provisional Authorizations granted by the JAB as well as other security assessment packages that meet FedRAMP requirements for agencies to review. Agencies can use the Provisional Authorizations and security assessment packages as a baseline for granting their own ATO. If necessary, agencies can add additional controls to the baseline to meet their particular security profile.
The FedRAMP repository will contain security authorizations in four categories as detailed below:
Category | Assessed by | Authorizing Authority / Level of Review |
---|---|---|
CSP Supplied | Accredited 3PAO | N/A |
Agency ATO |
** |
Agency |
Agency ATO with FedRAMP 3PAO | Accredited 3PAO | Agency |
FedRAMP Provisional Authorization | Accredited 3PAO | JAB (+Agency) |
**Assessment and Authorization packages without a FedRAMP 3PAO do not meet the independence requirements created by the JAB and are not eligible for JAB review.