Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

FedRAMP Authorized has a Provisional Authority to Operate (P-ATO) at the Moderate impact level from the FedRAMP Joint Authorization Board (JAB). This means has undergone a significant, thorough security and compliance review so that your agency can focus on reviewing the parts of the system that serve your mission more directly.

What is a P-ATO?

The Federal Risk and Authorization Management Program (FedRAMP) evaluates cloud services and issues a Provisional Authority to Operate (P-ATO) to those that pass review. Those come in two flavors: Agency and JAB. Both authorizations look at a standardized set of FISMA and NIST requirements and both can be used by other agencies in their ATO process. The difference is, when the Joint Authorization Board (JAB) is convened, it’s to review a cloud service that is and should be used throughout the government. The members of the JAB are the CIOs of the General Services Administration, Department of Defense, and Department of Homeland Security. They issue a P-ATO for cloud services that pass their review and to be used to run systems holding any kind of government data at specific levels. has an authorization at the moderate level which means it is a vetted and trustable service for data where the impact of loss is limited or serious — but not catastrophic.

Once that P-ATO is granted, FedRAMP requires to undergo re-assessment every year and maintain continuous monitoring. This gives your agency ongoing assurance that is compliant.

For DoD teams: the Defense Information Systems Agency (DISA) has issued a DoD Provisional Authorization for at DISA impact level two. Some points to bear in mind:

  • The FedRAMP package (see below) includes the DISA Provisional Authorization (PA) letter for your reference.
  • Per the PA and the DoD Cloud Computing SRG, the artifacts available to an Authorizing Official (AO) are those included in the FedRAMP-approved package. See Figure 5-2, “DoD Continuous Monitoring for CSOs with a FedRAMP JAB PA” in the Cloud Computing SRG for a useful illustration to that effect.
  • To meet the intent of OMB and DoD policies that cloud authorization follow a “do once, use many times” framework, will not provide artifacts that are already encompassed by the FedRAMP authorization and continuous monitoring program.

How you can use this P-ATO

Your agency still needs to grant your system an Authority to Operate, but FedRAMP has done the labor-intensive work of reviewing’s security posture and endorsed it, which reduces the compliance work you need to do. Your agency’s authorizing official can request the P-ATO documentation package from FedRAMP and accept that endorsement for your own system. See ATO process for the typical workflow.

Here’s how it works: Every moderate-impact federal system is required to account for a baseline of at least 261 controls (your agency may have additional controls) before it can be granted an ATO. The platform provides you with 155 fully or partially inheritable controls. Once’s P-ATO is reviewed and accepted, many of those requirements are already implemented and documented. Responsibility for most of the remaining requirements are shared between and your application, and only a limited number are fully yours.

Here’s an example of a control breakdown for a simple moderate-impact system hosted on

"Graphic showing the breakdown of how many controls are fully covered by"

Control Implementation Summary (CIS) + Customer Responsibility Matrix (CRM):

We publish two CIS/CRM documents, one for the Paas/Platform service and one for the Pages service:

  • PaaS CIS Worksheet summarizes each Low and Moderate security control and whether it is handled by (inheritable), a shared responsibility, or a customer responsibility. It includes guidance on which controls a customer on the Platform can fully or partially inherit from
    • Last Update: 2023-03-17 - Updated front matter
  • Pages CIS Worksheet summarizes each Low and Moderate security control and whether it is handled by (inheritable), a shared responsibility, or a customer responsibility. It includes guidance on which controls a customer on Pages can fully or partially inherit from
    • Updated: 2022-11-15 - First published CIS/CRM for Pages
    • Updated: 2024-04-09
      • Updated the date of change to the CIS/CRM.
      • The CIS/CRM has been updated and revised using the latest FedRAMP rev5 template including Low and Moderate controls. The CRM focuses on the consideration of Pages static website customers.

Start the ATO process

If you want to authorize, request the P-ATO documentation package from FedRAMP (the Package ID for that form is F1607067912). GSA customers can use the DocuSign Template for a “FedRAMP Package Access Request”. You can also view the FedRAMP Marketplace page for

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?