A systems administrator at a U.S. federal agency must move sensitive but unclassified workloads governed by FISMA to a commercial Infrastructure-as-a-Service (IaaS) provider. To verify that the service already underwent the government's standardized security assessment and has an Authority to Operate (ATO) for processing federal data, which certification or authorization must the administrator require from the provider?
FedRAMP Moderate (or higher) Authorization to Operate
FedRAMP is the U.S. government-wide program that standardizes the security assessment, authorization, and continuous monitoring of cloud products and services for federal use. When a cloud service receives a FedRAMP Agency ATO at the appropriate impact level (such as Moderate or High), it demonstrates that it satisfies NIST SP 800-53 controls and meets FISMA requirements to handle federal information. While PCI DSS, ISO/IEC 27017, and SOC 2 Type II each address important aspects of information security or cloud governance, none of them fulfills the statutory mandate for federal agencies; only a FedRAMP ATO provides the required governmental assurance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FedRAMP and why is it important for federal agencies?
Open an interactive chat with Bash
How does FedRAMP Moderate differ from FedRAMP High?
Open an interactive chat with Bash
What are the key differences between FedRAMP and other certifications like SOC 2 or ISO/IEC 27017?