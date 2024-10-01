In 2022, the FedRAMP Authorization Act was signed into law as part of the FY23 National Defense Authorization Act (“NDAA”). Cloud Service Providers (“CSPs”) can be a part of the FedRAMP Marketplace by working with an Agency to obtain an Authority to Operate (“ATO”) or working with the Joint Authorization Board (“JAB”) to obtain a Provisional-Authority to Operate (“P-ATO”). A full security assessment is conducted by a Third Party Assessment Organization (“3PAO”) which includes control testing, validation, and a complete review of a CSP’s FedRAMP Authorization Package. After a CSP is authorized and is part of the FedRAMP Marketplace, CSPs participate in a continuous monitoring phase (58 controls) based on NIST SP 800-137. In order to maintain an ATO, CSPs must go through an assessment with a 3PAO for a subset of controls every year.



For more information, visit the FedRAMP resources page.