Skip to main content

JAB Authorization

Pursuing a JAB Provisional Authorization

There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO). Additionally, the JAB is responsible for performing the continuous monitoring for all JAB Authorized cloud products.

JAB Authorization Process

Preparation

The Preparation phase consists of three steps: FedRAMP Connect, Readiness Assessment, and the Full Security Assessment. Timetables associated with this phase vary depending on a Cloud Service Offering’s (CSO) architecture and current security posture compared to federal requirements.

FedRAMP Connect

The JAB prioritizes approximately 12 CSOs each year. The JAB evaluates CSOs through a process called FedRAMP Connect.

FedRAMP Connect is the process by which Cloud Service Providers (CSPs) are evaluated based on the JAB Prioritization Criteria and prioritized to work with the JAB. CSPs interested in working with the JAB are required to review the JAB Prioritization Criteria and Guidance document [PDF - 388KB], complete the FedRAMP Business Case and send it to info@fedramp.gov. CSOs are selected during specific time frames throughout the year, which are announced on FedRAMP Blog.

Back to Graphic for Reference

Readiness Assessment

In order to Kickoff with the JAB, CSPs must achieve the FedRAMP Ready JAB designation for their CSO. If the JAB selects a CSO that has not yet achieved FedRAMP Ready status, the CSP has 60 days to become FedRAMP Ready in compliance with JAB standards.

To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to provide the JAB with a snapshot of a CSO’s security posture. More information regarding steps to achieve FedRAMP Ready can be found in the FedRAMP Marketplace Designations for Cloud Service Providers document [PDF - 652KB].

Back to Graphic for Reference

Full Security Assessment

During this step, after a CSO is both prioritized to work with the JAB and deemed FedRAMP Ready:

  • The CSP finalizes the System Security Plan (SSP) and engages an accredited 3PAO.
  • The 3PAO develops a Security Assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR).
  • The CSP develops a Plan of Action and Milestones (POA&M) to track and manage system security risks identified in the SAR.

The SSP, SAP, SAR, POA&M, and one month of continuous monitoring deliverables must be completed using FedRAMP-provided templates and should be submitted together. The JAB must have a CSP’s full security package for a minimum of two weeks prior to kicking off with the JAB.

Back to Graphic for Reference

Authorization

The Authorization phase consists of the authorization Kickoff, security deliverable review and P-ATO issuance from the JAB. Timetables associated with this phase are approximately 3-6 months.

JAB Authorization Process

The JAB Authorization Process uses an agile methodology with multiple stage gates and the “fail fast” principle. The first stage gate is JAB Kickoff. During this step, the CSP, 3PAO, and FedRAMP collaboratively review the CSO’s system architecture, security capabilities, and risk posture. Based on the outcome of the Kickoff Meeting, the JAB will issue a “go” or “no-go” decision to proceed with the authorization process.

Following the Kickoff, the JAB conducts an in-depth review of the security authorization package. The CSP and 3PAO are expected to support JAB reviewers by addressing questions and comments in a timely manner and participating in regular meetings. Monthly continuous monitoring deliverables (scan files, POA&M, and up-to-date inventory) are required to be prepared and submitted to the JAB through-out the JAB Authorization process.

Once the JAB’s review is complete, the CSP and 3PAO remediate outstanding issues. Once completed, the JAB will issue a formal authorization decision and if favorable, issue a Provisional Authority to Operate (P-ATO).

Note: The JAB P-ATO signifies that all three JAB Agencies reviewed the security package and deemed it acceptable for the federal community. In turn, agencies review the JAB P-ATO and the associated security package and clear it for their Agencies’ use. In doing so, the agency issues their own authorization to use the product.

Back to Graphic for Reference

Continuous Monitoring

The continuous monitoring phase consists of post authorization activities in support of maintaining a security authorization that meets the FedRAMP requirements.

Post Authorization

During the continuous monitoring phase, a CSP must continue to provide monthly continuous monitoring deliverables, to include incident reporting, to the JAB and agencies that are using their service. While each agency’s Authorizing Official (AO) maintains the final approval authority for the use of a system by that agency, the JAB acts as a focal point for continuous monitoring activities of systems with a P-ATO. The JAB:

  • Reviews continuous monitoring and security artifacts on a regular basis;
  • Monitors, suspends, and revokes a system’s P-ATO as appropriate;
  • Authorizes or denies significant change and deviation requests; and
  • Ensures continuous monitoring deliverables are provided to leveraging agencies in a timely manner.

For more information about FedRAMP’s continuous monitoring requirements, please review FedRAMP’s Continuous Monitoring Strategy Guide [PDF - 1.1MB] and Continuous Monitoring Performance Management Guide [PDF - 800KB].

Back to Graphic for Reference

Resources

The resources below provide additional guidance on the JAB Provisional Authorization path. Additional technical guidance as well as FedRAMP templates are located on our Documents & Templates page under Resources.

CSP JAB P-ATO Roles and Responsibilities

This document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process.

Download [PDF - 234KB]

JAB Prioritization Criteria and Guidance

This document outlines the criteria by which CSPs are prioritized to work with the JAB, the prioritization process, and the Business Case requirements.

Download [PDF - 398KB]

FedRAMP Authorization Boundary Guidance

This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP Authorization package.

Download [PDF - 293KB]