Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across the government. As such, these CSPs may seek Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board.
A Note on Providers and Offerings
Some FedRAMP documentation will refer to cloud providers and offerings. During Agency Authorization, the distinction between the two is less pronounced than in the JAB process but still significant.
Every cloud offering (a product or service) must be authorized by FedRAMP individually. So, if a provider has a single offering and/or infrastructure and works through the agency process, it may be the case that the terms “provider” and “offering” aren’t as distinct.
However, if a large provider (like Microsoft, Google, or Oracle) has dozens of cloud offerings and works through JAB for Provisional Authorization, each offering must receive Authorization.
What Is the Joint Authorization Board (JAB)?
As an inter-agency set of standards, FedRAMP is governed by representatives from different federal and defense organizations. These offices cover the requirements of FedRAMP, how the FedRAMP requirements are applied across different contexts, and how assessors are trained and certified as Third-Party Assessment Organizations (3PAOs).
The governing bodies of the FedRAMP framework are:
- Joint Authorization Board: JAB is the “primary governance and decision-making body for FedRAMP,” composed of officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). Some of the responsibilities of JAB include defining and updating authorization requirements, reviewing authorization packets, approving criteria for accreditation 3PAOs, establishing review procedures, and granting P-ATOs.
- Project Management Office (PMO): This organization is the most directly connected to assessment, guiding providers and assessors on delivering successful packages that lead to Authorization.
- Office of Management and Budget (OMB): This governing body handles critical requirements for the program, including its capabilities, detailing this in a policy memo.
- Chief Information Officer (CIO) Council: This group of CIOs supports efforts to create documentation and information they can disseminate to CIOs in participating federal agencies.
- National Institute of Standards and Technology (NIST): Serves as the advisory organization for the program, specifically related to FISMA requirements. Also, responsible for maintaining and updating those standards based on modern best practices.
Most CSPs will only marginally interact with FedRAMP agencies, most likely in communication with the PMO and, in some cases, JAB. Those pursuing JAB P-ATO, however, will have a different path.
What Is the Difference Between JAB Authorization and Agency Authorization?
The foundational differences between agency and JAB authorization are based on the type of work required from the CSP and the needs of an agency (if one is involved). JAB P-ATO does come with a few outside use cases, however, that shape how, and even if, a CSP can follow this path.
Some of the primary differences between the two include:
- Provisional Authorization: Any ATO granted through the JAB process is considered “provisional,” meaning that it doesn’t directly authorize that provider to work with an agency. However, it allows them to provide a listing on the FedRAMP Marketplace and full support through the authorization process.
- FedRAMP Connect: Not every CSP can undergo the JAB P-ATO process. Entering the program requires the provider to justify the demand for their product in government space, including business cases and potential demand via specific agencies. Then, the JAB will select a small (roughly 12) group of CSPs to enter the program.
- Authorization Package Leverage: While the Authorization is not agency-specific, agencies seeking to use a cloud solution can leverage the P-ATO package for their own needs. This means that a CSP with JAB authorization can more easily complete agency authorization across several agencies.
What Is FedRAMP Connect?
The selection program for JAB authorization, FedRAMP Connect, is exclusive and sought-after by CSPs precisely because of the advantages listed above. Offerings accepted on the JAB track undergo a more rigorous and wide-ranging assessment but do so with the support of JAB and end up much more flexible in how their offering fits a variety of agencies.
The trade-off for this program is that the CSP must demonstrate its value to the program and the federal government. This means completing a series of self-assessments and forms that include:
- FedRAMP Business Case for JAB Prioritization: This form shows JAB that their cloud offering has a demand and value in the federal space from the provider’s perspective. The information here will include descriptions of how an agency would use and benefit from the offering, how it applies to various agencies, how it innovates over existing products and services, and why it deserves authorization over other products and services (its unique value proposition).
- Proof of Demand Worksheet: This Excel worksheet will include proof of current direct or indirect governmental customers (at the federal, state, local, and tribal levels). This worksheet will also demonstrate demand based on the CSPs’ responses to RFIs, RFPs, and RFQs.
- Potential Demand Validation Letters: This optional part of the process allows CSPs to provide PDF versions of emails or letters from current or potential federal customers expressing interest in the provider’s offering.
What Are the Stages of JAB Provisional Authorization?
The Agency and JAB Authorization processes are remarkably similar, with a few key differences at some stages and the addition of the Connect assessment.
These stages are:
- FedRAMP Connect: As stated above, the CSPs offer a justification for the business use case of their offering to JAB. JAB will review applications and select about 12 offerings (depending on applications and demand) to undergo JAB Authorization.
- Readiness Assessment: Unlike the Agency Authorization process, JAB Authorization requires that an offering undergo Readiness Assessment. Otherwise, this process is essentially the same: the provider and the 3PAO complete a Readiness Assessment Report (RAR) and put it up for review with the PMO, remediating any issues as necessary.
- Full Security Assessment: Also similar to the Agency process, the JAB full security assessment includes the completion of a System Security Plan completed by the provider, a Security Assessment Plan (SAP) created by the 3PAO before assessment, and a Security Assessment Report (SAR) conducted by the 3PAO following the evaluation. If issues require remediation but do not exclude authorization status, the provider will create a Plan of Action and Milestones (POA&M). This is the authorization package.
- JAB Authorization Process: At this point, JAB takes part in the assessment with a “fast fail” methodology. At an initial kick-off, JAB will issue either a “go” or “no-go” to continue with the process. Assuming all systems are gone, the JAB will assess the authorization package, field questions to the provider and the 3PAO, and collect ongoing updates on vulnerability scans, POA&M adherence, and inventory changes. This is a rigorous assessment and, once completed satisfactorily, will result in P-ATO. The JAB will add the offering to the FedRAMP Marketplace with this status.
- Post-Authorization: Also, like the Agency process, post-authorization will include continual vulnerability scans, completion of POA&M requirements, etc. Unlike the Agency standard, however, these requirements will apply specifically for JAB review–additional reviews related to direct agency work require their reporting.
Avoid Issues That Would Slow FedRAMP JAB Authorization
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.