Over the past 6 months FedRAMP has been working to update the criteria by which the Joint Authorization Board (JAB) prioritizes Cloud Service Providers (CSPs). In August, we shared our initial thoughts and asked for your input as we continued to refine the prioritization criteria.
After we analyzed and incorporated the feedback we received, we finalized the criteria with the JAB CIOs and the CIO Council. The feedback from industry and input from the CIOs reiterated one of our initial findings: demand should drive prioritization. Demand is now the number one criterion for prioritization. It is also the only requirement for prioritization. The table below shows how a CSP can demonstrate current and future demand for their offering.
|**Current agency use**||Existing # FISMA systems with ATO Existing # unique agency customers|
|**Potential agency use**||
Examples of how a CSP could provide justification for projected adoption with 12 months of ATO include (but are not limited to):
|**OMB Policy / Priorities / Shared Services**||
Defined by administrative priorities for cross-agency services. Examples of OMB Policy, Priorities, and Shared Services could include (but are not limited to):
|**Agency defined demand**||Annual CIO Council Survey or Agency Advisory Group selected by CIO Council Official requests by agencies to the FedRAMP Program Management Office (PMO)|
Another change that we incorporated based on feedback is related to FedRAMP Ready. Although CSPs are still encouraged to be FedRAMP Ready, it is not a requirement for prioritization. However, FedRAMP Ready will be a heavily weighted criterion for prioritization and is highly encouraged. Additionally, if a CSP is prioritized that is not FedRAMP Ready, the CSP will be required to obtain FedRAMP Ready status within 60 days of prioritization.
In addition to demand, the remaining prioritization criteria are a set of prefered characteristics that are not mandatory for prioritization by the JAB, but will help bolster a CSP’s case. The list of preferred characteristics is below:
- FedRAMP Ready
- Government only cloud
- Other certifications (SOC2, ISO27001, PCI
- High Impact > Moderate Impact > Low Impact
- New and innovative with demonstrable ROI for Government
- Proven maturity (CMMI Level 3+, ISO Organizational Certifications)
- Prior experience with Federal security authorizations (e.g. use of a 3PAO in “consulting” capacity, other systems owned by the CSP with existing FISMA ATOs)
- Dependencies from other cloud service offerings (e.g. IaaS that hosts other SaaS solutions with demand from the Government)
You can view additional details regarding the prioritization criteria, including rationale here
Now that the prioritization criteria are finalized, we are asking CSPs who are interested in working with the JAB to pursue a P-ATO to submit a FedRAMP Business Case. This Business Case form provides a normalized view for comparison of CSPs and allows prioritization to be conducted in a consistent and fair manner. Only CSPs who have submitted a FedRAMP Business Case will be considered for prioritization. Although, vendors may submit FedRAMP Business Cases at any time throughout the year; the JAB prioritization will only occur twice a year , prioritizing 6 at a time for a total of 12 CSPs a year. The first due date for FedRAMP Business Cases is December 15th and the FedRAMP PMO aims to have this first round of prioritization completed in early 2017.
To fairly evaluate all CSPs, the FedRAMP Business Cases will be reviewed by a panel including representatives from the FedRAMP PMO, JAB, and CIOs from across the government. The panel will analyze CSPs based on the established criteria and the FedRAMP Business Cases submitted by the CSP, and provide a recommendation to the JAB. The JAB will make the final decisions regarding which CSPs to prioritize for JAB authorization.
The FedRAMP PMO plans to be transparent about how decisions are made and will be available to answer questions throughout the process. This is the first iteration of the new prioritization process and it we will iterate on the business cases and process to incorporate lessons learned as we prioritize. If you have any questions, please reach out to firstname.lastname@example.org. We look forward to receiving your FedRAMP Business Case, stay tuned for more updates regarding next steps!