How FedRAMP Transformed JAB Authorizations to take 75% Less Time
We’re excited to announce the release of our whitepaper on our initiative: FedRAMP Accelerated! As you probably know, last year we worked with the Joint Authorization Board (JAB) to revamp the provisional authorization process. We’d been hearing from Cloud Service Providers (CSPs), Agencies, and Third Party Assessment Organizations (3PAOs) that the process took too long and the expectations were unclear. So we launched an initiative, FedRAMP Accelerated, to design and pilot a transformed JAB process, with input and support from all program stakeholders.
We developed this whitepaper to explain the reason behind Accelerated, the work we did with our partners across government and industry, the results, and lessons we learned that ultimately created the revised JAB provisional authorization process that exists today.
We learned that the process works! In all three test cases, an authorization decision was obtained in less than 3-6 months, representing a 75% shorter time to authorization than the previous process.
Our hope is to share our lessons learned with others in government that are looking to undergo similar transformations with their programs. Similar to our Agency Playbook that was recently released, we hope by detailing the process we took to transform the way we do business at the FedRAMP PMO can be a model for how agencies can do the same.
Some of our key insights include:
- Listen to your stakeholders. We listened to our stakeholders and heard the good, the bad, and the ugly. Their feedback was the foundation of the key changes we made to our process.
- Clearly define your roles. In order to eliminate duplication of work, we re-defined our roles within our program to allow staff to focus on their strengths (facilitating a process vs. reviewing systems for security).
- Design for outcomes. We redesigned our core security authorization process to focus on vetting cloud systems up-front on their key security capabilities rather than initially focusing on the quality of their documentation.
- Transparency is key. We also redesigned new processes to ensure ongoing communication with our stakeholders. Through the new communication structures, all stakeholders had visibility into the CSP’s system strengths and weaknesses, understanding of the FedRAMP process and expectations, and a shared commitment to helping the CSP successfully complete the process.
We hope you find this information useful, and we’re always looking to refine our processes, so if you have additional thoughts or feedback, please let us know at firstname.lastname@example.org. We’re excited to continue working with our partners in government and industry on future improvements!