As we continue to work through FedRAMP Accelerated with the Joint Authorization Board (JAB), one key component is that CSPs must have a full assessment completed prior to beginning the review process. When examining any assessment, it is important that the assessment and evidence is recent and accurate. New risks and vulnerabilities can come into cloud environments on a daily basis , so the need for timely assessments when kicking off with the JAB is critical to ensure that an authorization is not dated.
With that in mind, today we’re releasing the Timeliness and Accuracy of Testing Requirements which applies to JAB authorizations. This outlines the requirements for the timeliness of evidence associated with an authorization package for a CSP beginning an authorization with the JAB.
When reviewing this in the context of the overall FedRAMP Accelerated activities, once a CSP completes a FedRAMP Readiness Assessment Report (RAR) (step 1) and are deemed FedRAMP Ready (step 2), the CSP must complete a full security assessment with a 3PAO (step 3) prior to kicking off the full authorization process with the JAB (step 4).
The Timeliness and Accuracy of Testing Requirements will help all parties involved by achieving two desired outcomes:
Give CSPs clear guidance on how long assessments will remain valid, which will improve the planning assessment activities with their respective 3PAOs, and
Ensure that the JAB has timely evidence when granting a provisional authorization.
If you’re a CSP looking to be considered for a JAB authorization, please watch this space for further information , we expect to have key documentation and guidance finalized in the coming weeks. Additionally, please review the FedRAMP Accelerated process overview and RAR for additional context.