Agencies – use the FedRAMP process when conducting risk assessments, security authorizations, and granting an ATO to a cloud service.
Agencies roles in FedRAMP
Initiate-Agency checks whether CSP has an existing ATO from JAB/other agencies if yes, asks for the SA&A package for review, if NO initiate a request to tell FeRAMP PMO whether CSP will be pursing an agency ATO or JAB ATO
Apply
Authorize-The agency needs to review SA&A package (SAR, POAM and SSP) to either issue an ATO, Interim ATO, Denial an ATO or leverage existing ATO from JAB-(Agency ATO or JAB ATO)
Monitor
Agency reviews continuous monitoring artifacts available in the FedRAMP secure repository periodically
Report– Agency reports CSP who they think cannot meet FeRAMP requirement