Security FAQs



For additional security information and policy, please visit the Information Assurance Division page.



What is FedRAMP?
Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. Additional information on FedRAMP programs and requirements. FedRAMP certification does not encompass Privacy requirements, which each agency is required to meet for cloud hosting applications.

What are the Privacy requirements for Cloud Hosting?
Each agency is responsible for meeting privacy requirements for cloud hosted applications under the Federal Information Security Management Act of 2002, E-Government Act of 2002, and OMB M-03-22 policy. These include:


  • System of Records Notices (SORN)

  • Privacy Impact Assessments (PIA)

  • Privacy awareness and role-based training


What is an ATO?
ATO is an acronym for Authority to Operate, which is required to be approved and maintained for any portion of a cloud solution outside of the FedRAMP boundary. The ATO will generally include:


  • The FISMA Classification

  • Customer responsible controls and guidelines for implementation

  • Trusted Internet Connection (TIC)

  • Multi-factor authentication

  • Internet Protocol version 6 (IPv6)



What is FISMA?
FISMA is the Federal Information Security Management Act. It is legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law as part of the Electronic Government Act of 2002.



What is TIC?
TIC is an acronym for Trusted Internet Connection. Per OMB Memorandum M-08-05, the purpose of the TIC is to optimize and standardize the security of individual external network connections currently in use by federal agencies, including connections to the Internet.



Was this page helpful?

Please provide a comment