Since 2012, federal agencies have worked with cloud service providers (CSPs) who have been authorized by the FedRAMP program, managed by the Joint Authorization Board (JAB) to ensure the same
high standards of security and implementation for all Cloud Service Offerings (CSOs).
There is a detailed multi-step process involved in becoming FedRAMP compliant and receiving a Provisional Authority to Operate (P-ATO). In addition to the P-ATO process, individual agencies can require CSPs to complete additional steps to receive an Agency Authority to Operate (ATO). The nature of authorization and specific controls required will depend on the system’s impact, deployment model, and market demand, so the process will vary for every CSO, but here is a brief overview of what companies like EconSys have completed to become compliant with the JAB authorization process.
Phase 1
The first step in the JAB authorization process is a readiness assessment and completion of FedRAMP Connect protocols.
The number of CSOs evaluated each year is limited by the resources available to JAB, so they must prioritize new offerings. There are several criteria for this prioritization process, starting with demonstrable demand for the service in several different agencies. After evaluating these criteria and determining which CSPs best fit these needs, six vendors are selected to work toward a JAB authorization. This selection process takes place twice a year. The vendors then have 60 days from selection to finalize their FedRAMP readiness status and move into Phase 2.
>>> Download the eBook on The Importance of FedRamp for Federal HR Software.
The readiness assessment is completed in partnership with an accredited 3PAO who will prepare a Readiness Assessment Report (RAR) and submit it to JAB for review. This review takes approximately one week and will determine if the CSP is found satisfactory to move forward and be added to the FedRAMP marketplace.
Phase 2 – Full Security Assessment
The next step is to develop a System Security Plan (SSP). An assessment is completed by the 3PAO partner which will inform an action plan and specific milestones to be created by the vendor to track all the system security risks that have been identified. FedRAMP provides templates for all these reports and assessments to ensure they are standardized for all CSPs. They must be submitted to a FedRAMP project management officer before a full kick-off.
Phase 3 – JAB Authorization
Upon completion of Phases 1 and 2, a kick-off meeting is scheduled with all the active parties in the authorization process, including JAB representatives, the FedRAMP PMO, the 3PAO partner and the CSP authorization team. The meeting will address everything the cloud service offering provides, including its architecture, security capabilities, and risk posture, allowing everyone to decide whether to proceed.
After this is completed, JAB will perform an in-depth review of the final SAP and any questions will be asked and meetings scheduled to address problems.
Upon completion of review, the CSP and 3PAO will review and document all issues addressed by JAB Reviewer feedback. Upon completion of all these comments, the CSP will receive their P-ATO and formal authorization from the PMO.
The Benefits of FedRAMP Authorization for Vendors and Agencies
This process can take up to four months once a CSP is selected to start the process, and it is very intensive. That level of scrutiny is designed to ensure a CSO is ready for use by any federal agency that needs such a solution. EconSys has received P-ATO from JAB and agency-level ATO from Defense Information Systems Agency, Department of Defense, Department of Energy, Department of Homeland Security, Department of the Interior, Department of Transportation, Environmental Protection Agency, and Pension Benefit Guaranty Corporation since 2014. To learn more about the benefits of FedRAMP Authorization and what is involved in acquiring it, download our eBook, The Importance of FedRAMP for Federal HR Software.
