ATO vs. ATU: What's the Difference & FedRAMP Requirements
SaaS vendors pursuing federal contracts encounter two authorization terms that sound similar but operate on entirely different planes. The Authority to Operate (ATO) is the credential a cloud service provider (CSP) earns. The Authorization to Use (ATU) is the decision a federal agency makes to adopt that already-authorized service.
Conflating the two causes real problems: misaligned timelines, wasted engineering effort, and federal deals that stall because nobody on the vendor side understands who does what and when. This guide breaks down both terms, shows how they sequence in procurement, and identifies the fastest path to an active ATO.
Key Takeaways
- ATO is a credential. A FedRAMP authorization decision by an Authorizing Official, resulting in a signed ATO, which allows a cloud service to appear on the FedRAMP Marketplace as FedRAMP Authorized
- ATU is the agency-side reuse action. Every agency that wants to use an already-authorized service must issue its own ATU, which turns a single ATO into multiple agency authorizations and operationalizes FedRAMP's "do once, use many" principle.
- No ATO, no ATUs. The sequencing is generally strict: agencies typically rely on an active FedRAMP authorization package to issue an ATU. Without an authorization path in place, federal contract revenue can be delayed.
- Inherited boundaries compress. Deploying on a pre-authorized infrastructure eliminates the need to build and authorize the full stack from scratch, reducing both the timeline and the ongoing ConMon burden.
The Authority to Operate (ATO) Establishes Initial FedRAMP Authorization
An ATO is a formal risk-acceptance decision by a senior federal official, the Authorizing Official (AO), confirming that a cloud system's security posture is acceptable for federal use. Per NIST SP 800-37, the ATO is "the official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations."
For FedRAMP specifically, an ATO can result in a CSP's cloud service offering (CSO) being listed on the FedRAMP Marketplace as FedRAMP Authorized. Once listed, the CSP's security package, consisting of the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M), is deposited in FedRAMP's secure repository. Any federal agency can then access that package and evaluate whether to adopt the service.
Two structural points matter for SaaS vendors planning their federal go-to-market.
- First, an individual agency's ATO covers only that agency's use. The CSP Authorization Playbook is explicit: "The initial federal agency ATO is not a government-wide risk acceptance."
- Second, authorization requires continuous monitoring, which means an ATO is an ongoing status rather than a one-time milestone.
Under the current framework established by OMB M-24-15 (July 2024), which retired the Joint Authorization Board (JAB) path, two authorization routes remain: Agency Authorization, signed by an agency AO, and Program Authorization, signed by the FedRAMP Director, which is still being developed under FedRAMP 20x. For most CSPs today, Agency Authorization is the dominant path.
The Authorization to Use (ATU) Allows an Agency to Reuse an Existing Authorization
An ATU is an agency-internal decision to formally accept the risk of using a cloud service that already holds a FedRAMP authorization. NIST SP 800-37 Rev.2 defines it as "the official management decision given by an authorizing official to authorize the use of an information system, service, or application based on the information in an existing authorization package generated by another organization, and to explicitly accept the risk to agency operations based on the implementation of an agreed-upon set of controls."
The operative phrase is "existing authorization package." The agency does not commission a new assessment by a Third-Party Assessment Organization (3PAO). Instead, it reviews the SSP, SAR, and POA&M already on file in FedRAMP's repository, implements its own customer-responsible controls, and has its AO sign the authorization letter.
FedRAMP frames this as a principle of reuse: a cloud service is assessed once, and agencies can rely on that authorization rather than conducting their own evaluation.
The ATU is lighter in assessment burden, but its legal status is similar to, not identical to, that of an initial ATO. A-130 requirement still applies. A FedRAMP authorization package is presumed adequate evidence for that decision, per 44 U.S.C. § 3613(e), but the AO must still formally act.
The timeline for getting an ATU is often measured in weeks. The agency submits a package access request, receives 60-day temporary access to the repository, reviews the documentation, implements customer-side controls, and issues the ATU letter. FedRAMP then converts the agency's repository access from temporary to permanent.
ATO vs. ATU: Differences in Issuer, Timing, and Use Function
With both terms defined, the practical question for a SaaS vendor is how they differ in three dimensions that drive procurement strategy: who signs each authorization, when each one fits in the federal buying sequence, and how each one functions in terms of reuse across agencies.
Issuer: Who Signs Each Authorization and Under What Authority
Both an ATO and an ATU are signed by an agency Authorizing Official, and both operate under the same legal framework, grounded in the FedRAMP Authorization Act (P.L. 117-263), FISMA, and OMB Circular A-130.
The difference is context. The ATO is signed by the AO of the initial sponsoring agency following a full 3PAO assessment of the CSP's system. The ATU is signed by the AO of a subsequent agency based on the existing FedRAMP package, without re-performing testing.
In both cases, the AO assumes responsibility for operating a system at an acceptable level of risk to their organization and, where applicable, to other organizations and the Nation, not solely on behalf of their own agency. That responsibility cannot be delegated to another agency's prior decision, which is why each agency must issue its own authorization even when reusing an existing package.
Timing: Where Each Fits in the Federal Procurement Sequence
The sequencing is strict: an ATO comes first, an ATU comes second.
A CSP must complete a full 3PAO assessment, receive an ATO from an initial sponsoring agency, and pass FedRAMP's review for suitability for government-wide reuse before subsequent agencies can rely on the package. Only then does the CSO appear on the Marketplace as FedRAMP Authorized, and only then can subsequent agencies access the package and issue their own ATUs.
DOE guidance states the gate explicitly: "No procurement for cloud products/services shall be completed without having obtained a valid authorization to operate (ATO) / authorization to use (ATU) granted by a designated AO in accordance with review of the FedRAMP authorization." A CSO can be listed on the FedRAMP Marketplace in FedRAMP Ready status even without an ATO, but an agency can issue an ATU only if at least one FedRAMP authorization is on file. The two also differ sharply in duration: an initial ATO on the traditional path can take months to years to obtain, while a subsequent agency's ATU can often be measured in weeks once the package is available.
Use Function: How One ATO Enables Many Agency ATUs
The functional difference is the clearest one. An ATO establishes the underlying authorization package; an ATU reuses it.
Per the reuse guide, a single CSP authorization package becomes the evidentiary foundation that any number of federal agencies can use to issue their own ATUs without commissioning a new 3PAO assessment. This is why the FedRAMP Marketplace surfaces both authorizations and reuses for each cloud service offering.
Coverage is narrow in both cases: an ATO covers only the sponsoring agency's use, and each ATU covers only the issuing agency's use, but the volume dynamic is asymmetric. One ATO can support many ATUs.
For the SaaS vendor, the implication is direct: the first ATO is the gate, but every subsequent agency ATU unlocks incremental revenue from the same underlying package. The reuse function is what turns FedRAMP authorization from a one-deal credential into a multi-agency growth lever.
Requirements for an Active ATO: Documentation, Assessment, and Continuous Monitoring
Holding an active ATO obligates the CSP to defined documentation, third-party assessment, and continuous monitoring commitments. The documentation package includes the SSP, POA&M, a Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook, and appendices covering contingency planning, cryptographic modules, and system inventory.
The 3PAO assessment occurs in three stages: a readiness assessment, a formal assessment (controls testing, vulnerability scanning, and penetration testing), and annual assessments post-authorization. The 3PAO conflict rule applies before consultants can serve as the 3PAO on the same system they helped prepare.
FedRAMP Rev5 baselines build on the underlying NIST SP 800-53 baselines, adding specificity and implementation requirements, and annual maintenance is substantial for as long as the ATO remains active.
Continuous monitoring is the obligation that keeps the ATO, and every ATU built on top of it, in force. The ConMon playbook describes failures that can revoke authorization when obligations are not met, thereby collapsing the evidentiary foundation that downstream agencies depend on. Monthly deliverables are required, and CSPs with multiple agency customers must implement a Collaborative Continuous Monitoring approach, as required under NIST SP 800-53 Rev5 control CA-7, coordinating monitoring activities across all authorizing agencies.
How to Earn an ATO: Build the Boundary or Inherit It
The operative question for a SaaS vendor is whether to build a FedRAMP boundary from scratch or deploy into one that already holds authorization. That single decision determines how quickly the ATO is achieved, and by extension, how soon agencies can begin issuing ATUs against it.
The Traditional Path to FedRAMP Authorization
In a traditional authorization, the CSP's system runs on non-FedRAMP-authorized infrastructure and is responsible for building and maintaining the entire infrastructure stack required by FedRAMP authorizations.
Timelines on this path have historically been lengthy, ranging from 12 to 36 months. Some providers have moved faster with a dedicated federal product and an active agency sponsor. The cost on this path is also substantial, especially at Moderate and High baselines, with the agency sponsorship bottleneck adding unpredictable delays before work even begins.
For SaaS companies with an existing federal contract opportunity and a finite procurement window, this timeline creates a structural mismatch. The deals move faster than the authorization.
What if the infrastructure layer did not need to be built or authorized by the SaaS vendor at all?
The Inherited ATO Model
RFC-0004 inheritance allows SaaS vendors deploying on a FedRAMP-authorized infrastructure provider to inherit the existing implementation, assessment, and testing of that provider's controls without including the entirety of that provider's offering inside the SaaS vendor's authorization boundary.
In practice, physical and infrastructure-operated controls shift heavily toward the underlying provider, while controls such as access management remain shared between infrastructure configuration and application-layer implementation.
Knox is a FedRAMP-as-a-Service platform built on this inherited model. SaaS vendors deploying on the pre-authorized Knox FedRAMP boundary inherit a substantial portion of required controls on day one, narrowing both the authorization workload and the ongoing ConMon scope to application-layer and customer-responsible controls. The infrastructure provider assumes responsibility for physical security, environmental controls, and infrastructure-layer monitoring obligations, so the vendor carries a leaner maintenance burden after authorization.
The practical difference for a SaaS CTO is direct: instead of budgeting heavily and waiting years to stand up compliant infrastructure from scratch, the inherited model can significantly shorten the path.
Choosing the Fastest Path to FedRAMP Authorization
The throughline is straightforward: no ATO, no ATUs. An agency cannot issue an ATU until a CSP holds an active FedRAMP authorization on file. Every quarter a SaaS vendor spends without that authorization is a quarter where no agency can adopt the product, regardless of how strong the pipeline looks.
That leaves two paths. Build a FedRAMP boundary from scratch on non-authorized infrastructure, absorb the multi-year timeline and the agency-sponsorship bottleneck, and carry the full stack of ConMon obligations indefinitely. Or deploy on a FedRAMP-authorized infrastructure provider, inherit a substantial portion of the controls on day one, narrow the scope to application-layer and customer-responsible controls, and compress the path to a first ATO, the same ATO that unlocks every downstream agency ATU.
Between building the boundary and inheriting it, the speed of that decision determines how much of the procurement window the vendor actually gets to work with. The vendors who get an active ATO in place first capture the agency ATUs that follow as reuse activity continues to accelerate across the FedRAMP Marketplace.
If a federal opportunity is already in your pipeline, the build-vs-inherit decision is the lever that decides whether you reach the procurement window in time.
Book a meeting with Knox to map the fastest path to an inherited ATO.