ISC2 Governance, Risk and Compliance (CGRC) Practice Question

The described objective-obtaining a government-wide authorization for a cloud service through a provisional Authorization to Operate (P-ATO) issued by the Joint Authorization Board (JAB) and following NIST Risk Management Framework continuous-monitoring requirements-is specific to the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP was established to give cloud service providers a standardized assessment and authorization process accepted across U.S. federal agencies. ISO/IEC 27001 certifies an organization's information security management system but does not grant a federal Authority to Operate. PCI-DSS applies to entities handling payment card data and has no JAB or ATO mechanism. CMMC focuses on protecting Controlled Unclassified Information for Department of Defense contractors and issues maturity-level certifications, not a government-wide ATO. Therefore, only FedRAMP aligns with the scenario's requirements.