About FedRAMP

Federal Risk and Authorization Management Program (FedRAMP) security assessment serves to increase confidence in the security of cloud solutions utilized by the federal government.
FedRAMP is a government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products/services. To meet the security requirements embedded with FISMA and the NIST publications so that an agency may outsource with the confidence that its cloud provider partner is meeting those requirements.

FedRAMP Authorization Paths

JAB Provisional Authorization to Operate (P-ATO)

  • DHS, DoD, and GSA CIOs rigorously review CSP packages for an acceptable risk posture using a standard baseline approach

  • Provides provisional authorizations to operate for use across the federal government

Agency Authorization to Operate (ATO)

  • A CSP may submit the appropriate documentation to the FedRAMP PMO and to an Agency

  • Agencies have varying levels of risk acceptance however, they may grant an ATO

  • Packages are reviewed by at least one agency and determined to be FedRAMP Compliant by the reviewing agency resulting in an Agency ATO

CSP Supplied

  • CSPs may supply a security package to the FedRAMP PMO for prospective agency use

  • CSPs complete the FedRAMP SAF independently, instead of through the JAB or through a Federal agency

  • CSPs will not have an authorization at the completion, but will have a FedRAMP Compliant package available for leveraging

FedRAMP Authorization Process



  • Submit an initiation request
  • Coordinate with appointed Information Systems Security Officer (ISSO)
  • Provide initial documentation

  • Review initial documentation (such as the control tailoring workbook)
  • Document System Security Plan (SSP)
  • Document policies and procedures
  • Submit for ISSO review and Joint Authorization Board (JAB) approval

  • Review SSP
  • Perform readiness testing and evaluation
  • Develop Security Assessment Plan (SAP) draft/approach
  • Post assessment, document Plan of Action and Milestones (POA&M)
  • Submit SAP and assessment timeline for ISSO approval
  • Performing testing against the SAP
  • Document detailed control findings
  • Issue Security Assessment Report (SAR)
  • Submit security assessment package
  • Receive JAB review and feedback
  • If approved, Provisional Authorization is granted
  • Submit extensive continuous monitoring documents and 3PAO findings
  • Annual assessment on subset of security controls

How Elevate Can Help

Regardless of the path chosen and/or stage of the authorization process, Elevate can help your organization meet its FedRAMP goals by performing all the readiness services prior to the visit from the 3PAO and to prepare to final package preparation to the agency. Specifically the following:

Awareness Preparedness Audit Support
  • Executive Orientation
  • Scoping and Gap Analysis
  • Assistance during 3PAO audit process and preparation for additional requirements
  • On-Site Training
  • Documentation and preparation (Systems Security Plan, FIPS 199 categorization, POAM, etc.)

By assisting in the completion of documentation and identification of necessary controls, Elevate can reduce the time it takes to achieve your authorization to operate (ATO).

Elevate offers a FedRAMP pre-assessment to assist organizations in benchmarking the CSP’s current environment against FedRAMP controls, determining if the CSP is prepared for the security assessment, and addressing known issues prior to beginning the assessment.