The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government-wide program providing a standardized approach to security assessment, authorization and continuous monitoring for cloud-based services. It uses a “do once, use many times” framework to reduce the costs, time and staff required to conduct agency security assessments.

CGI is only the second Cloud Service Provider – and the first large one – to receive a FedRAMP provisional Authority to Operate (ATO) from the FedRAMP Joint Authorization Board (JAB). This means an accredited Third Party Assessment Organization (3PAO) reviewed and tested our cloud security control implementations. The FedRAMP JAB reviewed the test results and determined the implementation resents an acceptable level of risk.

Agencies can now use the FedRAMP provisional ATO and grant their own ATO without conducting duplicative assessments. The FedRAMP Concept of Operations states that, “Agencies can review the Cloud Service Provider’s (CSP) application of security control implementations, including evidence of the implementation of these controls. Additionally, agencies can review any existing vulnerabilities and risk mitigations plans for the cloud service represented by the package.” 

The FedRAMP Program Management Office maintains a secure repository for provisional ATOs and documentation. Agencies may request access to the repository by contacting info@fedramp.gov.

CGI was the first CSP to deliver secure cloud services under GSA’s Blanket Purchase Agreement (BPA) for Infrastructure as a Service (IaaS). We will transfer our existing ATO for the BPA to FedRAMP. As noted in a previous blog post on FedRAMP by Patrick Cronin, “CGI plans to continue our focus on security as an early adopter of FedRAMP. This focus enables us to help agencies move to the cloud with the least amount of risk. We believe this is and will continue to be one of our strongest differentiators as a government cloud provider.”