Moving to One FedRAMP Authorization: An Update on the JAB Transition
August 12 | 2024
We recently shared information about two key milestones for FedRAMP: the release of the FedRAMP memo, which ushers in many significant shifts for the program, and the establishment of the FedRAMP Board, our new governance body. We recognize that customers have questions about how these milestones impact cloud service providers (CSPs) who were authorized or prioritized by the Joint Authorization Board (JAB) and wanted to provide an update on current status and next steps.
Shift toward one FedRAMP Authorization
As we evolve the program, we are moving away from defining different tiers of authorizations (previously JAB and Agency) and toward one designation of FedRAMP Authorized. Going forward, all authorized CSPs will be considered FedRAMP Authorized, regardless of path. In the next few weeks, FedRAMP will remove the “authorization path” filter on the FedRAMP Marketplace and as a Marketplace data element. CSPs that have received a JAB Authorization will have this historic status included in their Marketplace description.
Transitioning Continuous Monitoring for JAB-Authorized CSPs
A key focus of the transition planning is ensuring continuity and that we did not make any changes that put these systems or the data they protect into a state of ambiguity. For JAB-authorized CSPs, we will initially transition continuous monitoring (ConMon) to one of the former JAB agencies – General Services Administration (GSA), Department of Defense (DoD), Department of Homeland Security (DHS) – or to FedRAMP itself. We expect to migrate ConMon for CSPs not used by a former JAB agency to another agency customer. We are coordinating with the agencies using these JAB-authorized CSPs to identify those who can take on ConMon activities. In all of these cases, the transfer will be coordinated with the receiving agency/ies, and formally documented in a designation letter. FedRAMP and existing GSA, DOD, and DHS ConMon teams will provide transitional support as systems are transferred to new lead agencies. FedRAMP will continue to generate the automated monthly summaries of service risk posture and provide those to agency customers via USDA Connect or a CSP-provided High repository.
Supporting CSPs prioritized to work with the JAB
Several CSPs were prioritized by the JAB to pursue a JAB Authorization, but were then paused when the JAB began work on the overall transition. This was not due to anything related to these specific CSPs, whose authorization processes were all simply paused during this time. FedRAMP will continue to work with all cloud services that were prioritized by the JAB and are still seeking a path to authorization. We are approaching this in the following way:
- Authorizations by one or more agencies: CSPs who were prioritized by the JAB and have one or more agency customers interested in authorizing the cloud product.
- Authorizations by FedRAMP: In the short term, the FedRAMP team will work with a limited number of CSPs originally prioritized by the JAB, who do not have an immediate agency partner, to issue a program authorization. Longer term, we plan to develop criteria and an approach for opening this path market-wide.
Additionally, agencies who are interested in helping to expedite the authorization process for these CSPs can come to the table to participate in joint authorizations of these products.
FedRAMP will hold a dedicated, virtual Q&A session for CSPs that were prioritized by or authorized by the JAB on August 14th at 12:00 P.M. ET and would welcome questions in advance. We will also publish an FAQ on both the OMB memo and the JAB transition in the coming weeks.
Thank you for your continued partnership as we work to further enhance FedRAMP. If you have any questions or concerns, please email info@fedramp.gov.