Looking for clarification on the certification process. Trying to determine if we need an ATO or our CSP (AWS) has that and we just need to meet their requirements.

My company is using AWS gov cloud environment to store data in a more secure area for portions of our cloud workloads. We will be building our own infrastructure and doing data modeling and such. This is due to corporate policy requirement of the data to be used, not bc we are a government entity. The AWS gov cloud is FedRamp certified obviously.

Does my company need a 3PAO to get assessed? Do we need to put together the Security Report and have SAR document? Or should AWS be giving me a list of requirements that we have to meet in order to operate in their environment?

Looking at those with an ATO, I’m not seeing general corporations like mine. I’m only seeing the huge providers like AWS, google and service now.