Site icon

What Are the Evaluation Criteria for JAB Prioritization?

The Federal Risk and Authorization Management Program (FedRAMP) plays a pivotal role in safeguarding the security of cloud services within the U.S. federal government. An essential element of this program is the Joint Authorization Board (JAB), which is responsible for prioritizing and authorizing cloud offerings offered by cloud providers. 

The JAB prioritization process is a methodical approach to selecting the most impactful CSOs for a JAB Provisional Authorization to Operate (P-ATO). This process holds significance for upholding the integrity of federal cloud services and shaping the future of cloud technology within the government sector.

 

Understanding JAB Authorization

The Joint Authorization Board within FedRAMP is the program’s principal governance and decision-making body. Comprising the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).

The JAB’s role entails reviewing and assessing the security implementations of CSPs to ensure compliance with FedRAMP’s stringent standards. If a CSP meets these standards, the JAB grants a P-ATO, signifying that the provider’s offering is authorized for use by federal agencies.

The FedRAMP process has two primary paths to authorization: JAB authorization and Agency authorization. 

 

JAB Prioritization and Its Significance in Authorization:

 

 

JAB prioritization is a meticulous process designed to identify and prioritize the most impactful offerings for JAB P-ATO. This strategic approach ensures that federal agencies use critical cloud services to meet the highest security and compliance standards.

By subjecting CSOs to thorough scrutiny, the JAB prioritization process aids in making informed decisions about granting P-ATOs, thereby bolstering the security of federal cloud services. Furthermore, as the JAB’s decisions influence the future landscape of cloud technology within the government sector, the prioritization process plays an instrumental role in shaping the path forward.

JAB prioritization process in FedRAMP is a method to select the most impactful cloud offerings for a JAB authorization. The process evaluates CSOs and prioritizes them to work towards a JAB P-ATO.

The JAB prioritization process is based on three main criteria:

The JAB prioritization process also involves the submission of a business case by the CSPs, which includes a JAB Prioritization Information Form and a Proof of Demand Worksheet. Optionally, CSPs can also submit a collection of written proof of potential demand (i.e., demand verification letters or communications).

 

The Business Case Form

The “FedRAMP Business Case for JAB Prioritization” form is a document that providers must fill out as part of their application for JAB prioritization. This form consists of multiple-choice and short-answer questions.

The form requires CSPs to provide a brief service description that gives evaluators an understanding of the value of the offerings to the Federal Government. The description should address the following questions:

This form and the Proof of Demand Worksheet form the business case that CSPs must submit as part of their application for JAB prioritization.

 

Proof of Demand Worksheet

The Proof of Demand Worksheet is a component of the FedRAMP business case submission that cloud providers must complete. It’s an Excel worksheet CSPs must complete to show proof of demand for their offering.

The worksheet is designed to capture information in several categories:

 

Potential Validation Letters

Potential Demand Validation Letters/Communications are an optional component of the business case that providers can provide as part of their application for JAB prioritization. These letters or communications provide proof of potential demand from new or current federal customers interested in moving to the cloud version of the service.

These potential customers are defined as follows:

 

Evaluation Criteria

FedRAMP’s initial cloud offering review is based on demand. CSOs that pass the demand review are evaluated based on their FedRAMP Ready status. The relative value of the criteria is such that demand from current federal customers is more valuable than demand from non-federal customers and potential customers. 

Demand is more critical than a CSO being FedRAMP Ready. When “Business Cases” are evaluated and considered equal in demand, FedRAMP Ready status becomes a deciding factor. If demand and FedRAMP Ready status are considered equal, the JAB Preferred Characteristics detailed in section 2.3 will be considered in selecting the successful CSOs.

The relative values for each validated proof of demand a CSP can provide are:

For a CSP to pass the demand criteria for prioritization, it must verify current, indirect, or potential demand from the equivalent of six customers.

 

Shore Up Your FedRAMP Authorization Process with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version