Site icon

What Is FedRAMP Connect?

There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service providers be accepted into the FedRAMP Connect program.

This is no small feat and requires significant work on the part of the CSP to justify why their offering is uniquely impactful for the federal government marketplace.

FedRAMP JAB Authorization – A Limited Pool

As discussed in a previous article, JAB Authorization is a fairly privileged, if rigorous, path through FedRAMP. The challenging nature of the process is due in no small part to the criteria JAB includes as part of its Authorization path. 

More commonly, agencies work directly with government agencies and 3PAOs as part of an RFI or RFP process in which that agency expresses direct interest in working with a cloud provider. However, those with JAB will work through a more hands-on and, in some cases, more challenging process that offers the Provisional Authorization to Operate (P-ATO).

The advantages here are numerous, and based on the fact that after a CSP attains P-ATO, agencies can trust the security and risk assessments of JAB and lean towards adopting the authorized solutions. While a provider or offering with P-ATO isn’t technically 100% authorized to work with an individual agency, they are well positioned to quickly work through agency authorization and provide an attractive option for these agencies who want a robust and ready solution.

Obviously, there are advantages for CSPs that obtain their P-ATO. Within the broader FedRAMP marketplace, these advantages are offset by the fact that JAB will only select roughly 12 providers per year to follow the P-ATO path. These selected agencies will then join the FedRAMP Connect program.

The criteria used to determine the offerings that qualify for FedRAMP Connect are fairly stringent and based on the usefulness and uniqueness of the solution as well as the demonstrated demand for the product with federal agencies. 

Prioritization Criteria Based on Demand

Above any other criteria, JAB will look to the existing demand for the provider’s offering within the federal ecosystem. Logically, this makes sense–if there is demand for the product, then providing P-ATO can ensure the product is secure for various applications and make that solution more available to a wider range of agencies. 

However, the criteria to determine existing demand involves a bit more than “take our word for it.” JAB has a few categories of criteria to assess demand:

 

Proof of Demand

JAB can’t just take a provider’s word that demand exists. CSPs must therefore provide a “Proof of Demand” worksheet within which they will list how they meet any of the above criteria. This can include a list of current federal, state, local, or tribal customers, business use cases for the solution addressing specific needs, letters of interest from federal agencies, indirect customers, or RFPs related to the solution’s capabilities.

 

Preferred Characteristics Based on JAB Requirements

Outside of demand, JAB will consider specific characteristics of cloud offerings as part of their criteria for entry into the FedRAMP program. These characteristics have been determined as relatively globally valuable for federal agencies because they are either used for federal applications, demonstrate proven risk management and security, provide heightened security, or meet federal agency needs. 

These criteria include:

 

FedRAMP Connect and Business Cases

A core component of FedRAMP Connect acceptance is a demonstration of a business case that demonstrates that the offering meets the demands of the marketplace and JAB criteria. The business case must answer specific questions about the product and its features and provide a write-up of the product. 

This write-up will include:

 

Avoid Issues That Would Slow FedRAMP JAB Authorization

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version