Today I’m incredibly excited to announce that our first CSP crossed the FedRAMP Accelerated authorization line , Microsoft Dynamics CRM Online was issued a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB) on September 22nd!
The focus in FedRAMP Accelerated on capabilities and an iterative review approach with the JAB is showing major returns on decreasing the authorization timeframes for vendors working with the JAB. Microsoft completed the authorization process in just 15 weeks, or just under four months. Compared to the last authorization which took two years to complete, Microsoft Dynamics CRM Online was authorized six times faster! While there are a lot of reasons why this authorization was faster, there are two key elements to the process that enabled an authorization in under four months: CSP readiness demonstrated through capability assessments and an iterative review approach.
FedRAMP introduced the FedRAMP Readiness Assessment conceptually in March and finalized the requirements last month. The readiness assessments replaced the old reviews by the PMO on documentation and instead focus on key capabilities of CSPs and validation by a 3PAO. These readiness assessments ensure that CSPs entering the FedRAMP authorization process have the key technical capabilities in place prior to beginning an authorization. This ensures that during the authorization process, vendors won’t have to introduce new technologies or engineering updates to their system. This reduces overall costs for vendors as well as ensures the authorization process isn’t delayed due to vendors implementing new solutions to meet the FedRAMP requirements. The change from documentation reviews to capability reviews took Microsoft Dynamics CRM Online 10 weeks compared to our most previous ATO which took 40 weeks.
The PMO also worked with the JAB to employ a more iterative, or agile, review approach to the authorizations. Previously, the JAB review process was focused on a waterfall like approach designed with key stage gates , focusing on documentation, then testing, then reviews of risks. The new FedRAMP Accelerated process, with capabilities and risk assessments up front, enable the JAB to complete faster, more iterative reviews allowing for key questions or concerts to be raised faster and up front in the process. This iterative approach along with the capabilities enabled Microsoft Dynamics CRM Online to achieve an authorization in 15 weeks compared to our most previous ATO which took 104 weeks.
We are continuing FedRAMP Accelerated with two other vendors , Unisys and <18F. We expect their authorizations by the end of the year and to follow similar timelines for authorizations. We look forward to continuing our partnership with them and supporting their progress through this new process.
If you’re a CSP looking to be considered for prioritization into the Accelerated Process, please watch this space for information regarding prioritization by the JAB, which we expect to have finalized in the coming weeks. Additionally, review the FedRAMP Accelerated process overview and Readiness Assessment Report (RAR).
I’d like to finish by congratulating Microsoft on their provisional authorization and by thanking everyone who had a hand in this success!