Site icon

What Is FedRAMP JAB Provisional Authorization?

Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across the government. As such, these CSPs may seek Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board.

A Note on Providers and Offerings

Some FedRAMP documentation will refer to cloud providers and offerings. During Agency Authorization, the distinction between the two is less pronounced than in the JAB process but still significant.

Every cloud offering (a product or service) must be authorized by FedRAMP individually. So, if a provider has a single offering and/or infrastructure and works through the agency process, it may be the case that the terms “provider” and “offering” aren’t as distinct.

However, if a large provider (like Microsoft, Google, or Oracle) has dozens of cloud offerings and works through JAB for Provisional Authorization, each offering must receive Authorization.

What Is the Joint Authorization Board (JAB)?

As an inter-agency set of standards, FedRAMP is governed by representatives from different federal and defense organizations. These offices cover the requirements of FedRAMP, how the FedRAMP requirements are applied across different contexts, and how assessors are trained and certified as Third-Party Assessment Organizations (3PAOs). 

The governing bodies of the FedRAMP framework are:

Most CSPs will only marginally interact with FedRAMP agencies, most likely in communication with the PMO and, in some cases, JAB. Those pursuing JAB P-ATO, however, will have a different path.

What Is the Difference Between JAB Authorization and Agency Authorization?

The foundational differences between agency and JAB authorization are based on the type of work required from the CSP and the needs of an agency (if one is involved). JAB P-ATO does come with a few outside use cases, however, that shape how, and even if, a CSP can follow this path. 

Some of the primary differences between the two include:

What Is FedRAMP Connect?

The selection program for JAB authorization, FedRAMP Connect, is exclusive and sought-after by CSPs precisely because of the advantages listed above. Offerings accepted on the JAB track undergo a more rigorous and wide-ranging assessment but do so with the support of JAB and end up much more flexible in how their offering fits a variety of agencies. 

The trade-off for this program is that the CSP must demonstrate its value to the program and the federal government. This means completing a series of self-assessments and forms that include:

What Are the Stages of JAB Provisional Authorization?

The Agency and JAB Authorization processes are remarkably similar, with a few key differences at some stages and the addition of the Connect assessment.

These stages are:

 

Avoid Issues That Would Slow FedRAMP JAB Authorization

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version