You are here

Identifying Certifying and Authorizing Officials for Your Externally Hosted System

The Certifying Agent (CA) is typically the designated system security officer for the associated system or may be an independent security contractor who conducted the assessment. The Authorizing Official (AO) must be a Federal official with the proper authority and oversight for the system. By signing the Authorization to Operate (ATO) letter, the AO not only accepts the results of the assessment and certifies compliance with the FISMA, but he or she also formally accepts any residual risks that have been identified and commits to provide the necessary resources to address those that will be fixed. The following table provides the recommended certifying agent and authorizing officials based on where each system is housed and operated.

System Operating Environment

Description

Security Assessor†

Certifying Official/Agent

Authorizing Official

Third Party/ Contractor Hosted

Includes externally hosted systems at locations such as:

  • Contractor sites
  • Universities
  • Hospitals
  • IT Hosting Vendor (e.g., NTT/Verio, Sprint, Westat, IMS, etc.)

Qualified FISMA Security Contractor

Designated system security officer or Independent Assessor

Designated Federal Representative (e.g., Federal Project Officer, Division/Office/Center Director)

Cloud Service Provider (CSP)

In accordance with OMB’s Memo dated Dec. 8, 2011, all new cloud services acquired after June 2012, and all existing services acquired prior to June 2012 must use FedRAMP certified vendors by June of 2014.

Examples of FedRAMP approved CSPs can be found by visiting GSA’s FedRAMP page.

Combination of FedRAMP assessor for CSP, and system owner contracted assessor for unique controls not covered by the FedRAMP ATO.

PM Designated System Security Officer or Representative

Designated Federal Representative (e.g., Federal Project Officer, Division/Office/Center Director)

† Moderate and High impact systems must be assessed by an independent third party security assessor. Low impact systems can be reviewed by internal staff or contractor using the 800-37 RMF.