Cloud.gov Pages Security & ATU Process
Websites hosted on Cloud.gov Pages are covered under the Cloud.gov FedRAMP Authorization.
Pages inherits relevant platform-level controls from the broader Cloud.gov FedRAMP Authorization (package ID: F1607067912). This means your agency benefits from pre-authorized infrastructure while focusing only on responsibilities tied to your website.
To onboard agencies efficiently, Cloud.gov Pages provides a streamlined Authority to Use (ATU) process. This ensures compliance while reducing the burden of documentation.
What is an Authority to Use (ATU)?
An ATU allows your agency to reuse Cloud.gov’s FedRAMP Authorization to operate your Pages-hosted site.
It is a lightweight package designed for public-facing static websites — and documents the minimum compliance details required for onboarding.
Unlike a full Authority to Operate (ATO), which covers entire systems, an ATU accelerates approvals by leveraging our existing platform security authorizations.
Roles & Prerequisites
Before beginning the ATU process, ensure you meet these requirements:
| Prerequisite | Why it matters |
|---|---|
| Active Inter-Agency Agreement (IAA) | Legal vehicle to consume Cloud.gov Pages |
| Site classification: FIPS 199 Low Impact | Confirms ATU eligibility |
| GitHub repo for site source | Enables CI/CD builds with Pages |
| Agency Authorizing Official (AO) or Web Program Manager | Signs the ATU |
Responsibilities
Cloud.gov Pages manages:
- FedRAMP Authorized infrastructure
- Platform patching, scanning, and logging
- Annual independent third-party assessments
Customer Responsibility includes:
- Completing the ATU package
- Scanning and updating third-party libraries in your repo
- Patching and securing your content and components.
- Maintaining an active IAA
Benefits of using the Pages ATU
The Pages ATU reduces your workload by reusing Cloud.gov’s existing authorizations and templates.
With Pages ATU, you can:
- Save time and reduce costs
- Simplify documentation
- Lower compliance overhead
- Access tailored support and resources
ATU Support Options
You can choose the level of support that works best for your team:
- Hands-On Support — Work directly with the Pages team for step-by-step guidance.
- Self-Supported — Use provided templates and guides to complete the ATU yourself.
- Hybrid Approach — Combine both, retaining flexibility while getting expert assistance.
FAQs
Q: What’s the difference between an ATO and an ATU?
An ATO is a full security authorization for an entire system. An ATU reuses an existing FedRAMP Authorization (Cloud.gov) to cover your use of the service. The ATU process is faster and less complex.
Q: How long does the ATU process take?
Most complete packages are approved in under two weeks. Hands-on support may shorten this.
Q: Does Pages support Moderate or High-impact data?
No. Cloud.gov Pages is FedRAMP Authorized for Low-impact public content only. No PII or sensitive data.
Q: Do I need vulnerability scans?
Cloud.gov Pages scans the platform. Customer Responsibility is scanning and updating dependencies in your repo.
Q: Who do I contact for new or existing projects?
- Support team → pages-support@cloud.gov
- Business inquiries → inquiries@cloud.gov
Contact
- For existing Pages accounts → pages-support@cloud.gov
- For onboarding or pricing → inquiries@cloud.gov