Cloud.gov Pages Security & ATU Process
Overview
The legacy Federalist Authority to Operate (ATO) expired 28 Feb 2024.
All former Federalist sites, GSA and non‑GSA, now run on Cloud.gov Pages, a FedRAMP‑aligned static‑site platform built on the Cloud.gov PaaS.
Because most Pages sites are FISMA Low public‑facing websites, Cloud.gov offers a streamlined Authority to Use (ATU) package: a short set of artifacts that cover ~90 % of the usual paperwork.
Agencies keep their sites live under an active Inter‑Agency Agreement (IAA) while they complete the ATU.
Customer Responsibility: Provide accurate site details and maintain content hygiene; Cloud.gov handles underlying hosting, patching, and FedRAMP controls.
The Pages team has created an ATU process and established a partnership with the Technology Transformation Services Center of Excellence (CoE) to assist non-GSA agencies in navigating and gathering ATU documentation. The process includes the following templates and documents which are available upon request via this email: support@cloud.gov
| Requirement | Why |
|---|---|
| Active IAA or MOA | Legal vehicle to consume Cloud.gov Pages |
| Site classification: FIPS 199 “Low Impact” | Confirms ATU eligibility |
| GitHub repo for site source | Enables CI/CD builds |
| Agency Authorizing Official (AO) or Web Program Manager | Signs the ATU letter |
Steps
1. Request the ATU kit
Email pages-support@cloud.gov to receive the ATU templates, checklists, and sample language.
2. Pick a support model
- Hands‑On – Receive direct assistance from the Pages team. Our in-house specialists will guide you through each step of the ATU process.
- Self‑Service – For agencies that prefer a do-it-yourself (DIY) approach, leverage our templates and detailed guidance to complete the ATU independently.
- Hybrid – Combine both Hands-On Support and Self-Supported. Ideal for agencies seeking flexibility while maintaining control over parts of the process.
3. Complete the ATU package
The kit includes:
- System ID worksheet (site URL, repo link, owner contact)
- Low‑Impact SSP excerpt (2‑3 pages)
- Change‑control & incident‑response attestation
4. Submit for review
Send the filled package to pages-support@cloud.gov. The Pages security team validates inputs, attaches inherited control evidence, and forwards to your AO for signature.
5. Maintain continuous compliance
- Keep your repo public or grant Pages read access.
- Apply content updates regularly; Cloud.gov auto‑patches the stack.
- Renew the ATU annually or when the site’s scope changes.
FAQs
Q: What’s the difference between an ATO and an ATU?
An ATO (Authorization to Operate) is a full security approval for a system to operate. In contrast, an ATU (Authority to Use) allows you to leverage an existing ATO to use a service. The ATU process is typically shorter and less involved than obtaining a full ATO.
Q: How long does the ATU process take?
Complete, error‑free packages are usually approved in under two weeks. Hands‑on support can shorten this further.
Q: Does Pages support High‑impact data?
No. Pages is designed for public, Low‑impact content only.
Q: Who do I contact for new projects?
Email inquiries@cloud.gov to discuss pricing and onboarding.
Need help with an existing Pages account? Contact the support team at support@cloud.gov.
Q: Do I need vulnerability scans?
Cloud.gov Pages scans the platform; you are responsible for scanning and updating any third‑party JS/CSS libraries in your repo.
Need help right now? pages-support@cloud.gov is standing by.