The Federal Risk and Authorization Management Program (FedRAMP) plays a pivotal role in safeguarding the security of cloud services within the U.S. federal government. An essential element of this program is the Joint Authorization Board (JAB), which is responsible for prioritizing and authorizing cloud offerings offered by cloud providers.
The JAB prioritization process is a methodical approach to selecting the most impactful CSOs for a JAB Provisional Authorization to Operate (P-ATO). This process holds significance for upholding the integrity of federal cloud services and shaping the future of cloud technology within the government sector.
Understanding JAB Authorization
The Joint Authorization Board within FedRAMP is the program’s principal governance and decision-making body. Comprising the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
The JAB’s role entails reviewing and assessing the security implementations of CSPs to ensure compliance with FedRAMP’s stringent standards. If a CSP meets these standards, the JAB grants a P-ATO, signifying that the provider’s offering is authorized for use by federal agencies.
The FedRAMP process has two primary paths to authorization: JAB authorization and Agency authorization.
- JAB Authorization: The JAB, consisting of personnel from the DoD, DHS, and GSA, acts as the main governing and decision-making body for FedRAMP. Through a thorough review and assessment of cloud offerings, the JAB ensures compliance with FedRAMP standards. If a provider meets these criteria, the JAB grants a Provisional Authority to Operate. This P-ATO holds recognition across the federal government and signifies that the CSO is authorized for use by federal agencies. However, it is essential to note that while a JAB P-ATO strongly indicates a CSO’s security posture, it does not eliminate the need for an agency to issue its own ATO based on its specific risk tolerance and operational requirements.
- Agency Authorization: In this path, a particular federal agency sponsors the CSP’s FedRAMP authorization process. The agency conducts a comprehensive review of the CSO’s security implementations, and if they align with the agency’s requirements and the FedRAMP standards, the agency grants an Authority to Operate. Typically, this ATO is specific to the sponsoring agency and may not be recognized by other federal agencies. However, other agencies can leverage this ATO to grant their own ATOs to the same CSO, reducing duplication of effort.
JAB Prioritization and Its Significance in Authorization:
JAB prioritization is a meticulous process designed to identify and prioritize the most impactful offerings for JAB P-ATO. This strategic approach ensures that federal agencies use critical cloud services to meet the highest security and compliance standards.
By subjecting CSOs to thorough scrutiny, the JAB prioritization process aids in making informed decisions about granting P-ATOs, thereby bolstering the security of federal cloud services. Furthermore, as the JAB’s decisions influence the future landscape of cloud technology within the government sector, the prioritization process plays an instrumental role in shaping the path forward.
JAB prioritization process in FedRAMP is a method to select the most impactful cloud offerings for a JAB authorization. The process evaluates CSOs and prioritizes them to work towards a JAB P-ATO.
The JAB prioritization process is based on three main criteria:
- Demand for the CSO: This is the primary criterion for prioritization and requires a provider to verify current or potential demand from the equivalent of six customers.
- FedRAMP Ready Status: Offerings that are FedRAMP Ready have preferential consideration in prioritization. An offering must achieve FedRAMP Ready status within 60 days of selection, or it will be deprioritized.
- Preferred Characteristics: These are not mandatory for prioritization but are preferred by the JAB for government-wide solutions. These characteristics include being designed for the Federal Government, demonstrating a proven track record of managed risk and secure implementations, providing heightened security, and meeting Federal Government needs.
The JAB prioritization process also involves the submission of a business case by the CSPs, which includes a JAB Prioritization Information Form and a Proof of Demand Worksheet. Optionally, CSPs can also submit a collection of written proof of potential demand (i.e., demand verification letters or communications).
The Business Case Form
The “FedRAMP Business Case for JAB Prioritization” form is a document that providers must fill out as part of their application for JAB prioritization. This form consists of multiple-choice and short-answer questions.
The form requires CSPs to provide a brief service description that gives evaluators an understanding of the value of the offerings to the Federal Government. The description should address the following questions:
- How does an agency use and experience your offering?
- How is your CSO broadly applicable across the Federal Government?
- Does your CSO provide a new and innovative service?
- Why should the JAB authorize your service over similar offerings?
This form and the Proof of Demand Worksheet form the business case that CSPs must submit as part of their application for JAB prioritization.
Proof of Demand Worksheet
The Proof of Demand Worksheet is a component of the FedRAMP business case submission that cloud providers must complete. It’s an Excel worksheet CSPs must complete to show proof of demand for their offering.
The worksheet is designed to capture information in several categories:
- Current Federal Customers: CSPs must provide information about which federal agencies use cloud offerings. This includes the federal customer name, customer point of contact information, government contract number, period of performance, and ATO status.
- Indirect Customers: CSPs must provide information about which FedRAMP-authorized cloud services use their service. This includes the name of the FedRAMP-authorized CSP customer using their service, the point of contact information for the FedRAMP CSO, the FedRAMP package ID number for the FedRAMP CSO, and the number of FedRAMP ATOs issued for the FedRAMP CSO.
- Current State, Local, Tribal, Territorial, Federally Funded Research Centers, or Lab Customers: CSPs must provide information about non-Federal Government bodies using their service. This includes the customer name, customer point of contact information, contract number, and performance period.
- Federal Agencies’ Requests: CSPs must provide information about which federal agencies have issued an RFI, RFP, or RFQ related to their CSO in the last 18 months.
Potential Validation Letters
Potential Demand Validation Letters/Communications are an optional component of the business case that providers can provide as part of their application for JAB prioritization. These letters or communications provide proof of potential demand from new or current federal customers interested in moving to the cloud version of the service.
These potential customers are defined as follows:
- Federal agencies that are actively interested in using the CSP’s offering. This includes federal agencies continuously contacting the CSP about using their offering or looking for a trial run.
- Proof of interest from current federal agency customers using an on-premise or commercial version of the offering proposed for authorization by the JAB. An agency using an on-prem product version may want to move to a cloud version, which would serve as a demonstration of demand.
FedRAMP’s initial cloud offering review is based on demand. CSOs that pass the demand review are evaluated based on their FedRAMP Ready status. The relative value of the criteria is such that demand from current federal customers is more valuable than demand from non-federal customers and potential customers.
Demand is more critical than a CSO being FedRAMP Ready. When “Business Cases” are evaluated and considered equal in demand, FedRAMP Ready status becomes a deciding factor. If demand and FedRAMP Ready status are considered equal, the JAB Preferred Characteristics detailed in section 2.3 will be considered in selecting the successful CSOs.
The relative values for each validated proof of demand a CSP can provide are:
- Current Demand = 1
- Indirect Demand = 0.5
- Potential Demand = 0.25
For a CSP to pass the demand criteria for prioritization, it must verify current, indirect, or potential demand from the equivalent of six customers.
Shore Up Your FedRAMP Authorization Process with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
[wpforms id= “43885”]