The first step for any Cloud Service Provider (CSP) interested in pursuing a FedRAMP authorization for their Cloud Service Offering (CSO) is to determine their authorization strategy. There are two types of FedRAMP authorizations: a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and an Agency Authority to Operate (ATO).
To decide which type of authorization is right for a particular CSO, the CSP should review both processes and take into account their system’s impact level, deployment model, stack, and market demand.
Below is a high-level overview of the JAB Authorization Process. Information on a CSP’s role and responsibilities within the JAB P-ATO authorization process can be found here.
JAB P-ATO Authorization
Phase 1: Readiness Assessment and FedRAMP Connect
The JAB (which includes representatives from DOD, DHS, and GSA) invests heavily into creating a broad marketplace of providers and, based on current resources and funding, only has the capacity to authorize a limited number of CSOs a year. To ensure the JAB’s resources are used most effectively, the FedRAMP Program Management Office (PMO), CIO Council, and JAB evaluate CSOs through FedRAMP Connect.
The FedRAMP PMO aims to prioritize three (3) CSPs each quarter and during the FedRAMP Connect process, CSOs are evaluated and prioritized to work with the JAB based on the JAB Prioritization Criteria. The only mandatory prioritization criteria for vendors is demonstrated demand for their service by a wide variety of Agencies.
In order to streamline the FedRAMP Connect process, CSPs interested in working with the JAB are required to review the JAB Prioritization Criteria and Guidance document and follow the instructions on how to submit a Business Case to firstname.lastname@example.org. The FedRAMP PMO collects Business Cases on a rolling basis and has cut off dates for each quarter’s prioritization decision. The next Business Cases will be due on September 13th at 5:00 PM.
After a CSP is prioritized, it has 60 days to become FedRAMP Ready (if it isn’t already). Being prioritized to work with the JAB and being deemed FedRAMP Ready by the FedRAMP PMO constitute the first phase of the JAB Authorization Process depicted above.
To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering. At the conclusion of the assessment, the 3PAO delivers a Readiness Assessment Report (RAR) attesting to the CSO’s readiness for the authorization process. The RAR provides Agencies, CSPs, and the FedRAMP PMO with valuable early feedback on whether or not a CSO is likely to be successful in obtaining a FedRAMP authorization and has been a determining factor for CSPs to be chosen to work with the JAB. RARs are reviewed by the FedRAMP PMO within one business week of submission. Once the RAR is deemed satisfactory by the PMO, the CSO will be designated FedRAMP Ready and advertised in the FedRAMP Marketplace.
Phase 2: Full Security Assessment
After a CSO is prioritized to work with the JAB and is deemed FedRAMP Ready, the CSP finalizes the System Security Plan (SSP) for the service offering and engages an accredited 3PAO. The 3PAO develops a Security Assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR). The CSP facilitates and participates in the assessment activities, in accordance with the SAP. Finally, the CSP develops a Plan of Actions and Milestones (POA&M) to track and manage system security risks identified in the SAR.
The SSP, SAP, SAR and POA&M must be completed using FedRAMP-provided templates and submitted together. The FedRAMP PMO will then work with the CSP and 3PAO to conduct a completeness check and coordinate the JAB kick-off meeting.
Phase 3: Authorization Process
The first step of the Authorization Phase is to hold a kick-off meeting with the JAB, FedRAMP PMO, the 3PAO, and the CSP’s authorization team. The purpose of the kickoff is to conduct a collaborative deep dive into the service offering, system architecture, security capabilities, and risk posture, typically through a combination of briefings and informal Q&A. The outcome of the kickoff will be a “go” or “no-go” decision to proceed with the authorization phase.
If the kick-off results in a “go” decision, the JAB conducts an in-depth review of the security authorization package. The CSP and 3PAO are expected to support JAB Reviewers by addressing questions and comments in a timely manner and participating in regular meetings with the 3PAO, PMO, and JAB Reviewers. During the review, the CSP must submit monthly continuous monitoring deliverables (scan files, POA&M and up-to-date inventory) which adhere to FedRAMP requirements for continuous monitoring and vulnerability scanning.
Once the JAB review is complete, the CSP and 3PAO remediate system and documentation issues as needed and ensure all JAB Reviewer comments are appropriately addressed. Once the JAB Reviewers have reviewed and validated the remediation efforts, the CSP will receive a P-ATO decision and formal authorization of their CSO from the FedRAMP PMO.
A JAB P-ATO is not a risk acceptance, but an assurance to Agencies that the risk posture of the system has been reviewed and approved by DoD, DHS, and GSA. Each Agency planning to use the CSO must then review and issue their own ATO, which covers their Agency’s use of the cloud service.