FedRAMP JAB Authorization vs Agency Authorization
Cloud Service Providers (CSPs) that want to sell their Cloud Service Offerings (CSOs) to federal agencies must secure a Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO). To get listed on the FedRAMP Marketplace, a CSO must have one of these three designations:
- FedRAMP Ready
- FedRAMP In Process
- FedRAMP Authorized
Two paths are available for organizations on their journey to achieve ATO, Joint Authorization Board (JAB) Authorization or Agency Authorization. Both pathways cater to different needs and scenarios within the federal government. The JAB and Agency authorizations require assessments that are conducted by an approved Third Party Assessment Organization (3PAO).
Here is a FedRAMP JAB Authorization vs Agency Authorization comparison to help your organization pick the best path.
FedRAMP JAB Authorization
The Joint Authorization Board is the top governing body for FedRAMP. It is comprised of officials from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). JAB can issue a Provisional Authorization to Operate (P-ATO). The P-ATO signifies that all three JAB Agencies reviewed the security package and deemed it acceptable for the federal community. In turn, agencies review the JAB P-ATO and the associated security package and clear it for their agencies’ use. In doing so, the agency issues its own authorization to use the product.
The JAB selects approximately 12 cloud products to authorize each year through the FedRAMP Connect process. CSPs interested in working with the JAB must review the JAB Prioritization Criteria and Guidance document and submit the FedRAMP Business Case.
If selected by the JAB, a CSP must work with an accredited 3PAO to complete a Readiness Assessment of its service offering. A FedRAMP Ready designation is issued if the Readiness Assessment Report is deemed acceptable . The CSP can then begin putting together a security authorization package that includes:
- System Security Plan (SSP)
- Security Assessment Plan (SAP) developed by the 3PAO
- Security Assessment Report (SAR) produced by the 3PAO
- A Plan of Action and Milestones (POA&M) to track and manage system security risks identified in the SAR
The JAB Authorization process begins with the CSP, 3PAO, and FedRAMP collaboratively reviewing the CSO’s system architecture, security capabilities, and risk posture. If the review results in a “go” decision, the JAB will review the security authorization package. The CSP and 3PAO need to support JAB reviewers by addressing questions and comments and participating in regular meetings. Monthly continuous monitoring deliverables (scan files, POA&M, and up-to-date inventory) must be prepared and submitted to the JAB throughout the JAB Authorization process. After the JAB review is complete, the CSP and 3PAO have a chance to remediate any issues, and a P-ATO designation can be granted.
JAB Authorization Pros
Highly recognized: JAB is a highly regarded governing body. Having your FedRAMP compliance undergo a comprehensive review by a panel of experts from multiple agencies will go a long way with potential customers.
No Agency Sponsor: The JAB process allows organizations to secure an ATO without finding a sponsor agency willing to commit time and resources to support the organization through the authorization process.
JAB Authorization Cons
It’s selective: JAB only selects 12 CTOs for review each year. Getting selected is far from guaranteed. It could take several years (if you ever do) to get selected for the authorization process. Can your business wait that long to get its product listed on the FedRAMP Marketplace?
Higher Scrutiny: Organizations that go the JAB route will face more rigorous security standards with very low tolerance for risk. The JAB process can also take longer and require more resources.
FedRAMP Agency Authorization
In the Agency Authorization path, CSPs working to secure an ATO must find a federal agency to sponsor their CSO. CSPs will work with their agency throughout the entire authorization process.
In the Agency process achieving the FedRAMP Ready designation is recommended, but not required. Organizations that pursue the Ready designation must work with an accredited 3PAO to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP’s capability to meet federal security requirements.
Next is the Pre-Authorization when CSPs need to formalize their agency partnership and prepare to undergo the authorization process. CSPs make any necessary adjustments to address federal security requirements and prepare the security deliverables required for authorization.
CSPs and their agency will then have a kickoff meeting to discuss:
- The background and functionality of the cloud service
- The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
- Customer-responsible controls that must be implemented and tested by the Agency
- Compliance gaps and remediation plans
- A work breakdown structure, milestones, and next steps
The 3PAO will then perform a full security assessment of the system. Before the assessment, the agency must complete, review, and approve the CSP’s System Security Plan. Also, the Security Assessment Plan (SAP) should be developed by the CSP’s 3PAO with their authorizing agency’s input.
The 3PAO will also test the CSP’s system and develop a Security Assessment Report (SAR) which details their findings and includes a recommendation for FedRAMP Authorization.
The CSP will then develop a POA&M based on the SAR findings and include input from the 3PAO, which outlines a plan for addressing the findings from testing.
CSPs will then move to the Agency Authorization Process, where the agency conducts a security authorization package review, which may include a SAR debrief with the FedRAMP Project Management Office (PMO). The results of the review could require remediation by the CSP. During this phase, the agency will implement, test, and document customer-responsible controls. Finally, the agency performs a risk analysis, accepts risk, and issues an ATO. This decision is based on the agency’s risk tolerance. Once an agency provides an ATO letter for the use of the CSO, the following actions take place to close out this step:
- The CSP uploads the Authorization Package Checklist and the complete security package to FedRAMP’s secure repository.
- The 3PAO uploads all security assessment material (SAP, SAR, and attachments) associated with the CSO security package to FedRAMP’s secure repository.
The FedRAMP PMO reviews the security assessment materials for inclusion into the FedRAMP Marketplace. The FedRAMP Marketplace listing will update to reflect FedRAMP Authorized status. The CSO security package will be made available to agency information security personnel, to issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.
FedRAMP Agency Authorization Pros
More Control of the Process: CSPs can take the lead in finding an agency to sponsor their CSO. In the JAB process, CSPs are at the mercy of FedRAMP Connect, which selects the products to go through the JAB authentication process.
Increased Flexibility: Agency authorization allows agencies to tailor security requirements based on their mission needs and risk tolerance. This customization ensures that cloud services align closely with the agency’s specific security and compliance mandates.
Readiness Assessments are Optional: Many organizations will find completing the readiness assessment and getting the FedRAMP Ready designation valuable, but it’s not a requirement. Forgoing the assessment can save time and money.
Speed: Agencies can conduct their own assessments, allowing the process to move faster than the JAB authorization. CSPs need to be aware the agency will largely determine how fast the process moves. If authorization is not a priority for the agency, it could result in delays.
FedRAMP Agency Authorization Cons
Securing an Agency: The agency that sponsors your CSO will have to dedicate time and resources to your authorization process. Establishing a relationship with the agency and proving your offering provides enough value to justify the effort will take time.
Losing your Agency: If you lose your sponsoring agency as a customer, you’ll lose your ATO and have to start the process over again. This is true even if other agencies are using your CSO. If a CSP loses its only ATO, it can maintain FedRAMP Ready status on the FedRAMP Marketplace for up to a year while seeking a new ATO with a new agency sponsor.
CompliancePoint has a team of experienced cybersecurity professionals who can help your organization design and implement the security controls needed for FedRAMP certification. Reach out to us at connect@compliancepoint.com to learn more about our services.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.