FedRAMP Authorization Process
The first step of the process is for a Cloud Service Provider (CSP) to select an authorization approach. There are two approaches to obtaining “FedRAMP Authorized” status on the FedRAMP Marketplace. Interested parties can apply either through the Joint Authorization Board or through a federal agency.
The next phase is preparation. The first step in the agency path is Partnership Establishment and the second is Readiness Assessment. Within the JAB path, Preparation includes the steps FedRAMP Connect and the Readiness Assessment.
The next phase is Authorization. The authorization phase looks different for both agency and JAB, however the overarching steps remain the same, starting with a full security assessment and finishing with an authorization process. Once the authorization process is complete, a CSP must engage in continuous monitoring to ensure that the risk accepted at the time of authorization remains acceptable. The JAB Provisional-Authority To Operate (P-ATO) signifies all three JAB Agencies reviewed the security package and deemed the risk acceptable for the federal community. In turn, Agencies review the JAB P-ATO and the associated security package and clear it for their Agencies’ use. In doing so, the agency issues their own authorization to use the product. Additionally, the JAB will conduct continuous monitoring for systems that have earned a P-ATO.
Note: Readiness Assessment is required for the JAB Process and is optional but highly recommended for the Agency Process.
FedRAMP at a Glance