There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service providers be accepted into the FedRAMP Connect program.
This is no small feat and requires significant work on the part of the CSP to justify why their offering is uniquely impactful for the federal government marketplace.
FedRAMP JAB Authorization – A Limited Pool
As discussed in a previous article, JAB Authorization is a fairly privileged, if rigorous, path through FedRAMP. The challenging nature of the process is due in no small part to the criteria JAB includes as part of its Authorization path.
More commonly, agencies work directly with government agencies and 3PAOs as part of an RFI or RFP process in which that agency expresses direct interest in working with a cloud provider. However, those with JAB will work through a more hands-on and, in some cases, more challenging process that offers the Provisional Authorization to Operate (P-ATO).
The advantages here are numerous, and based on the fact that after a CSP attains P-ATO, agencies can trust the security and risk assessments of JAB and lean towards adopting the authorized solutions. While a provider or offering with P-ATO isn’t technically 100% authorized to work with an individual agency, they are well positioned to quickly work through agency authorization and provide an attractive option for these agencies who want a robust and ready solution.
Obviously, there are advantages for CSPs that obtain their P-ATO. Within the broader FedRAMP marketplace, these advantages are offset by the fact that JAB will only select roughly 12 providers per year to follow the P-ATO path. These selected agencies will then join the FedRAMP Connect program.
The criteria used to determine the offerings that qualify for FedRAMP Connect are fairly stringent and based on the usefulness and uniqueness of the solution as well as the demonstrated demand for the product with federal agencies.
Prioritization Criteria Based on Demand
Above any other criteria, JAB will look to the existing demand for the provider’s offering within the federal ecosystem. Logically, this makes sense–if there is demand for the product, then providing P-ATO can ensure the product is secure for various applications and make that solution more available to a wider range of agencies.
However, the criteria to determine existing demand involves a bit more than “take our word for it.” JAB has a few categories of criteria to assess demand:
- Current Agency Use: If the state, local, or tribal agencies already use the solution, or if the solution has a standing agency authorization with a federal organization, then JAB can infer that there is demand for the offering in governmental space.
- Indirect Demand: Additionally, if a service offering is used as part of other cloud products deployed by federal agencies, then JAB can infer that there is at least the potential for demand outside its integration with other products.
- Potential Agency Use: The CSP can provide other justifications for how their offering will address market demand. Examples of appropriate justification include expressed interest in agency RFIs or RFPs; the use of commercial on-premise versions of the solution by government agencies; a clear business capture plan that speaks to agencies; use by other governmental agencies; and use by Federally Funded Research Centers.
- OMB Policy and Priorities: If the solution meets organizational priorities defined by the Office of Management and Budget (OMB), then JAB will assume some demand exists. This includes any offering with functionality or features that address agency deficiencies or federal security mandates.
- Agency-Defined Demand: Agencies may demand certain capabilities or functions that match specific cloud offerings.
Proof of Demand
JAB can’t just take a provider’s word that demand exists. CSPs must therefore provide a “Proof of Demand” worksheet within which they will list how they meet any of the above criteria. This can include a list of current federal, state, local, or tribal customers, business use cases for the solution addressing specific needs, letters of interest from federal agencies, indirect customers, or RFPs related to the solution’s capabilities.
Preferred Characteristics Based on JAB Requirements
Outside of demand, JAB will consider specific characteristics of cloud offerings as part of their criteria for entry into the FedRAMP program. These characteristics have been determined as relatively globally valuable for federal agencies because they are either used for federal applications, demonstrate proven risk management and security, provide heightened security, or meet federal agency needs.
These criteria include:
- Government-Only Cloud: If the CSP uses cloud environments dedicated to government use or requirements, it poses less risk for government applications and thus serves an essential purpose in the federal space.
- Certifications: If the CSP or offering has other certifications, they can demonstrate that it has heightened security standards based on those frameworks. These certifications can include those gained through frameworks such as SOC 2, the ISO 27001 series, and PCI DSS (among others).
- Demonstration of ROI: The provider can demonstrate that their offering provides critical ROI based on reducing risk, costs, or political liability due to security issues.
- Maturity: The provider can demonstrate a track record of maturity in industry security and risk management. This can include ISO certifications or achievement of higher-level CMMC certifications.
- Federal Experience: The provider can demonstrate experience in the federal space through programs like FISMA or other FedRAMP initiatives.
FedRAMP Connect and Business Cases
A core component of FedRAMP Connect acceptance is a demonstration of a business case that demonstrates that the offering meets the demands of the marketplace and JAB criteria. The business case must answer specific questions about the product and its features and provide a write-up of the product.
This write-up will include:
- The Customer Journey: What customer journey might a client take through the system? This describes how the product is used, from installation to logging in and through different use cases and applications.
- Applicability: How can different agencies leverage the cloud offering across other missions or services?
- Innovation: How is this cloud offering modernizing cloud technology and the federal marketplace with new features and services?
- The Uniqueness of Offering: Is this solution radically different or innovative compared to other market offerings or under consideration for FedRAMP?
Avoid Issues That Would Slow FedRAMP JAB Authorization
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.