Page History
The Certifying Agent (CA) is typically the designated system security officer for the associated system or may be an independent security contractor who conducted the assessment. The Authorizing Official (AO) must be a Federal official with the proper authority and oversight for the system. By signing the Authorization to Operate (ATO) letter, the AO not only accepts the results of the assessment and certifies compliance with the FISMA, but he or she also formally accepts any residual risks that have been identified and commits to provide the necessary resources to address those that will be fixed. The following table provides the recommended certifying agent and authorizing officials based on where each system is housed and operated.
System Operating Environment | Description | Security Assessor† | Certifying Official/Agent | Authorizing Official |
---|---|---|---|---|
Includes externally hosted systems at locations such as:
| Qualified FISMA Security Contractor | Designated system security officer or Independent Assessor | Designated Federal Representative (e.g., Federal Project Officer, Division/Office/Center Director) | |
In accordance with OMB’s Memo dated Dec. 8, 2011, all new cloud services acquired after June 2012, and all existing services acquired prior to June 2012 must use FedRAMP certified vendors by June of 2014. Examples of FedRAMP approved CSPs can be found by |
visiting GSA's FedRAMP Page (link is external) page. | Combination of FedRAMP assessor for CSP, and system owner contracted assessor for unique controls not covered by the FedRAMP ATO. | PM Designated System Security Officer or Representative | Designated Federal Representative (e.g., Federal Project Officer, Division/Office/Center Director) | |
† Moderate and High impact systems must be assessed by an independent third party security assessor. Low impact systems can be reviewed by internal staff or contractor using the 800-37 RMF. |