Achieving a FedRAMP Authority to Operate (ATO) is a mandatory requirement for cloud service offerings (CSOs) that hold federal data. If you have software (or infrastructure or a platform) that is offered as-a-service and government agencies are your target customers, your cloud offering will be required to obtain and maintain a FedRAMP P-ATO. An ATO is evidence that your cloud offering has met and continues to operate in alignment with the high standards set forth in the FedRAMP cybersecurity controls baselines.
JAB – FedRAMP’s Joint Authorization Board
The FedRAMP program is governed by the Joint Authorization Board – otherwise known as the JAB. The JAB includes the Chief Information Officers (CIOs) from the Department of Defense (DoD), General Services Administration (GSA), and the Department of Homeland Security (DHS). Each of the three agencies has a team of technical reviewers (TRs) committed to the program’s objectives. The JAB is supported by the FedRAMP PMO, operated by the GSA, who helps coordinate and navigate cloud service providers (CSPs) through the JAB authorization process.
Taking the JAB Path to ATO Begins with Prioritization
There are three paths to obtaining a FedRAMP P-ATO, all requiring a federal sponsor (or initiating agency). The sponsor’s job is to oversee and ensure the offering’s adherence to the compliance standards, with validation support from a third party assessment organization (3PAO). The sponsor is involved for the initial granting of the ATO and remains involved in an oversight capacity for the life of the authorization. While most cloud service providers (CSPs) leverage an agency sponsor, that’s not always a possibility. Agencies generally only sponsor CSOs for a FedRAMP ATO if they are dependent on or fully committed to using the cloud solution AND have the internal resources to support the effort – thereby justifying the investment in sponsorship. Because it can be difficult especially for new offerings working to get their foot in the door with federal agencies, the JAB ATO path is an alternate path for sponsorship. The first step toward obtaining a JAB P-ATO is by getting prioritized by the JAB.
FedRAMP has created a Connect process to allow any CSO to apply for sponsorship, which is well defined and standardized. CSPs can apply and are evaluated using a criteria-based analysis. Being prioritized requires evidence that the CSO has broad and/or critical use implications across the entirety of government agencies. CSPs will complete a Business Case workbook to prove there is adequate existing demand for their solution, as well as providing evidence of desirability by aligning the offering with known government mission-critical needs.
Once Prioritized by the JAB the Work Begins
The JAB authorization process is well defined and requires CSPs to move through a series of phases from preparation through authorization and into continuous monitoring (ConMon). It should be noted that every system is different, and there is no one size fits all approach to compliance – even given the highly standardized nature of FedRAMP baseline controls. So while there is a conventional process and a default schedule, each CSP’s experience will vary in time and complexity. That said, once a CSO is prioritized, the provider must be prepared to jump in and get started right away to move through the following detailed steps:
- Readiness Assessment
JAB authorization requires a formal readiness assessment as evidenced by a Readiness Assessment Report (RAR) completed by an accredited third party assessment organization (3PAO) prior to full assessment. The RAR documents the CSP’s capability to meet federal security requirements. The readiness assessment for JAB varies slightly from that of an agency, so CSPs that currently hold a FedRAMP Ready status that was granted prior to prioritization may be required to make some updates.
- Full Assessment
A full assessment must be conducted by an accredited 3PAO. Upon completion, the authorization package: System Assessment Plan (SAP), System Assessment Report (SAR); System Security Plan (SSP); and Plan of Action and Milestones (POA&M); is submitted to the JAB PMO for review. Once submitted, the PMO may require the CSP to make additional changes and adjustments prior to scheduling a kickoff to shore up any gaps or shortcomings prior to starting the official review. Additionally, the completion of the full assessment also marks the beginning of the CSP’s monthly ConMon reporting expectations to the JAB and carefully scrutinized Plan of Actions and Milestones (POA&M) management. Prior to being granted a P-ATO, CSPs are required to have submitted at least 3 months of acceptable ConMon reports to JAB reviewers.
Once the assessment package has been fully accepted by the PMO, a kickoff meeting will be held to allow the CSP to present their solution and its architectural elements to JAB technical reviewers and discuss the remaining steps in the process. The kickoff will also be used to map out a schedule and clarify any expectations. If any significant issues or concerns emerge during the kickoff, the JAB and PMO will work with the CSP to determine the best way forward – which may involve a short pause in the process while the concerns are addressed. Once the JAB has determined to move forward with the CSP’s ATO journey and provided a “go” decision, the CSP’s status in the FedRAMP marketplace will be updated to reflect FedRAMP In-Process. At this point, a recurring meeting will be placed on the calendar by the PMO to enable iterative communications between the JAB reviewers, the CSP and the 3PAO for the following review phase.
- JAB Review
Working on a weekly collaborative cadence with the CSP, the PMO and JAB technical reviewers review the system and authorization package in its entirety. Reviewer questions and comments and CSP/3PAO responses are tracked in a weekly playbook that is shared through the government’s OMB Max portal, and issues and progress are discussed in the weekly calls. Throughout the review period, any outstanding issues that require remediation are noted and must be addressed. It is recommended that remediation efforts begin and continue throughout this phase.
Once the review phase is completed, CSPs are given approximately 3 weeks to remediate any outstanding issues identified by the JAB reviewers. At the completion of the remediation phase, the CSP will submit any evidence and updated documentation to the JAB through OMB Max as a form of attestation of compliance.
- Final Review and Approval
Once an assessed system has been found to meet the JAB’s criteria after having navigated through the testing, review and remediation phases, a P-ATO will be granted and the CSO will be listed in the FedRAMP marketplace as Authorized.
- Continuous Monitoring (ConMon)
Once authorized, each CSP is assigned their primary, secondary and tertiary technical JAB reviewers who will provide ongoing oversight of the authorized system. CSPs are required to comply with all ConMon activity and reporting requirements, including monthly reporting, incident management, and seeking the JAB’s approval for any significant changes to the system. Minimally each system with a FedRAMP authorization requires an annual re-assessment by a 3PAO.
Figure 1 – JAB Provisional Authorization from Prioritization to ConMon
A system that successfully navigates the JAB process actually receives a Provisional ATO (P-ATO). The provisional designation does not make this a “lesser” ATO, rather it simply indicates that the ATO was granted by a non-agency entity that isn’t actually using the software themselves. And since only an agency can accept the risk associated with software usage and grant an actual “authorization” for its use, the JAB’s stamp of approval is indicated with the provisional qualifier. Also, because the JAB is not representing the interests of any single agency, a P-ATO is only granted for systems that meet the strictest interpretations of FedRAMP controls implementation criteria.
Just like an agency ATO, a JAB P-ATO allows federal customers to re-use the authorization package associated with that ATO to grant their own ATO in an “earn once, use multiple times” benefit.
stackArmor helps commercial, public sector and government organizations rapidly comply with FedRAMP, FISMA/RMF, DFARS and CMMC compliance requirements by providing a dedicated authorization boundary, NIST compliant security services, package development with policies, procedures and plans as well as post-ATO continuous monitoring services.
Interested in learning more about FedRAMP? Here are some popular posts and blogs for organizations looking to prepare for FedRAMP.