Cloud Authorization

Government Cloud Authorization


Federal civilian agencies wanting to implement cloud computing solutions must choose an offering that is FedRAMP certified. The FedRAMP certification is based on the security controls outlined in NIST special publication 800-53. The National Institute of Standards and Technology (NIST) designed these security controls to safeguard national data and provide a framework for agencies to maintain a robust cybersecurity posture.


FedRAMP Requirements



Cloud solution offerings (CSOs) that handle federal data must comply with FedRAMP requirements. To achieve FedRAMP authorization, cloud solution providers (CSPs) must take one of two available paths: Joint authorization board (JAB) provisional authorization (P-ATO) or agency authorization (ATO). During the authorization process, cloud solutions are assigned an “Impact Level” based on the sensitivity of the data the solution will interact with once implemented.


Carahsoft offers FedRAMP solutions at all four different impact levels: High (410 controls), Moderate (323 Controls) and Low (156 Controls).




DISA DoD Cloud Computing Requirements and FedRAMP+


Similar to the FedRAMP program, the Department of Defense (DoD) has established cloud security guidelines for military organizations to follow when adopting commercial CSOs. The Defense Information Systems Agency (DISA) established these guidelines through the DoD Cloud Computing Security Requirements Guide (DoD CC SRG.


Any cloud solution provider (CSP) looking to do business with the DoD must first obtain a DoD Provisional Authorization (PA). To support vendors who have FedRAMP authorized CSOs and want to achieve DoD authorization, DISA accepts any FedRAMP moderate solution as DoD Impact Level (IL) 2, with no additional security requirements. In addition to this program reciprocity, DISA also established FedRAMP+, where CSPs that have already achieved FedRAMP authorization can leverage the work done through the FedRAMP authorization process to expedite the DoD authorization process. The “+” represents the additional security controls that DISA requires on top of those met through the FedRAMP authorization process.


DoD Impact Levels (IL)


The DoD CC SRG sets requirements and guidelines for both DoD and cloud service providers to adhere to when defense agencies leverage cloud computing solutions. There are four Impact Levels that are categorized based on the sensitivity of the information stored and/or processed in the cloud and the potential impact of loss in confidentiality, integrity or availability of information. Learn more about the levels of impact.

DoD Impact Level Image

StateRAMP Image

StateRAMP Authorization Process


StateRAMP is a simplified and standardized security approach for authorizing cloud service offering’s that store, process and transmit state and local government data. StateRAMP authorization is required only for participating governments. CSPs considering obtaining a StateRAMP authorization status must become a StateRAMP member, meet all security control requirements and be verified by an approved third party assessment organization (3PAO) and the StateRAMP Project Management Office (PMO). Learn more about the state and local cloud security program.

What is a 3PAO?


For a CSO to attain cybersecurity certifications for the U.S. Government, it must first be evaluated by a Third Party Assessment Organization (3PAO) to ensure that the cloud system meets the established security requirements. 3PAOs provide unbiased security assessments to determine preparedness for authorization. Carahsoft partners with authorized 3PAOs to support CSPs looking to start the FedRAMP and StateRAMP authorization process.


3PAO Image


How to choose a 3PAO to meet your needs and budget?


To help reduce the overall cost and complexity of achieving certifications, it is important to carefully evaluate a 3PAO based on your certification goals. Carahsoft offers the following criteria to determine which 3PAO meets your specific needs.


  1. Verify that the Third Party Assessment Organization (3PAO) is an American Association for Laboratory Accreditation (A2LA) accredited and FedRAMP approved.
  2. Proven experience with the same ATO approach you plan to pursue.
  3. Ability to support other security requirements (e.g. ISO-27001, PCI-DSS, SOC2, etc.) to allow you to pursue multiple certifications and attestations.