You've already achieved ATO. Now another agency wants you to start over. Reciprocity should eliminate redundant assessments, but inconsistent implementation means organizations repeat 80% of authorization work for each new boundary. Thalorin automates gap analysis, maps control deltas, and generates the artifacts required for reciprocity acceptance.
The March 2024 Deputy SecDef memorandum mandates reciprocity implementation “except when cybersecurity risk is proven too great”—the strongest policy push to date. DoDI 8510.01 establishes reciprocity as the default for systems already deployed in DoD.
Yet DoD IG audits reveal inconsistent implementation: some Components leverage reciprocity effectively while others don't consider it a priority. The gap between policy and practice costs organizations months of redundant work.
DoDI 8510.01 explicitly does not dictate artifact formats. Authorization packages vary wildly between organizations, making comparison and acceptance difficult.
What's adequate encryption at one agency may fail at another. AOs exercise discretion differently, and risk acceptance varies by mission context.
eMASS, Xacta, CSAM—each system of record has customized workflows. Data exchange between tools requires manual translation.
Receiving AOs can refuse reciprocity for insufficient content or excessive enclave risk. Without standardized quality measures, rejection triggers full reassessment.
Reciprocity isn't one-size-fits-all. FedRAMP to DoD follows different rules than interagency DoD or coalition partner acceptance. Each pathway has specific control deltas, documentation requirements, and approval workflows. Thalorin maps your existing authorization to target boundaries and identifies exactly what's needed.
Direct reciprocity. FedRAMP Moderate authorization accepted for IL2 workloads with minimal additional documentation.
Reciprocity fails when receiving organizations discover gaps late in the process. Thalorin performs automated gap analysis the moment you select a target boundary—comparing your existing control implementations against target requirements, identifying missing evidence, and flagging controls that need additional documentation or implementation work.
CNSSI 1254 defines the RMF core documents forming the Body of Evidence necessary for reciprocity consideration. Receiving AOs evaluate these artifacts to determine if existing authorization demonstrates sufficient rigor. Thalorin ensures your BoE meets the quality bar for acceptance.
The foundational document describing system boundaries, control implementations, and security architecture. Must be current, complete, and consistent with assessed state.
Documents assessment methodology, findings, and recommendations from the Security Control Assessor. Demonstrates independent validation of control effectiveness.
Identifies threats, vulnerabilities, and risks to the system. Quantifies likelihood and impact. Documents risk mitigation strategies.
Tracks known weaknesses and remediation plans. Shows organizational commitment to addressing gaps.
The formal ATO letter from the authorizing official accepting residual risk. Establishes authorization boundary and conditions.
eMASS provides designated users the ability to search across all eMASS instances for existing authorizations. When a system already holds DoD authorization, the receiving Component can locate the authorization record, review the Body of Evidence, and make a reciprocity determination without requiring the system owner to resubmit documentation. Thalorin integrates with eMASS to streamline this workflow.
Query all eMASS instances to locate existing authorizations for a system or CSP. View authorization status, AO contact, and BoE summary.
Generate eMASS-compatible XML exports of your authorization package. Formatting aligned with eMASS import specifications.
When reciprocity requires additional controls, Thalorin generates the delta package formatted for eMASS entry—minimizing manual data entry.
Monitor reciprocity request status across multiple receiving organizations. Dashboard view of pending decisions and required actions.
FedRAMP Moderate provides a strong foundation, but DoD IL4 requires additional controls for handling Controlled Unclassified Information. These FedRAMP+ requirements fall into two categories: Conditional (C) controls that apply based on system characteristics, and Conditional Enhancement (CE) controls that strengthen existing FedRAMP requirements.
Strengthened account management, session controls, and privilege restrictions for CUI environments.
Extended logging, non-repudiation, and audit trail requirements for accountability.
Cryptographic module requirements and enhanced authentication mechanisms.
CUI-specific handling requirements for media storage, transport, and sanitization.
Cryptographic protection, boundary defense, and information protection requirements.
The same security control often satisfies requirements across multiple frameworks. NIST 800-53 AC-2 maps to CMMC AC.L2-3.1.1, ISO 27001 A.9.2.1, and FedRAMP AC-2. When you've implemented a control once, Thalorin's Feynman Engine identifies all frameworks where that implementation provides coverage—maximizing the value of your compliance investments.
Reciprocity disputes happen. A receiving AO may refuse acceptance due to insufficient evidence, different risk interpretation, or enclave-specific concerns. DoD provides an escalation path: AO level → RMF TAG Chair → AO Council (DoD CISO). Thalorin documents the reciprocity request, denial rationale, and escalation history to support resolution.
Direct discussion between originating and receiving AOs. Often resolves through additional evidence or clarification of implementation details.
Technical Advisory Group chair mediates disputes. Reviews BoE quality and receiving AO concerns.
Final adjudication by DoD CISO-chaired council. Binding decision on reciprocity acceptance.
Thalorin tracks escalation status, generates required documentation, and maintains audit trail of all reciprocity decisions.
Recent policy updates push toward reciprocity as the default rather than exception. Organizations that invest in clean, well-documented authorizations now will benefit as these policies take effect.
Mandates reciprocity implementation "except when cybersecurity risk is proven too great." Shifts burden of proof to receiving organization to justify rejection.
Establishes "presumption of adequacy" requiring civilian agencies to accept FedRAMP authorizations without additional validation. Creates FedRAMP Board replacing JAB.
Clarified IL5 as explicitly NSS-focused, positioning IL4 as appropriate for most CUI/mission data. Simplifies pathway selection for cloud workloads.
Pilots underway for reciprocity with external frameworks (SOC 2 Type 2, ISO 27001, HITRUST under consideration). OSCAL digital authorization packages in development.
See how Thalorin can help you leverage existing authorizations across agency boundaries with automated gap analysis and reciprocity package generation.