Pursuing a FedRAMP® JAB Provisional Authorization
There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO). Additionally, the JAB is responsible for performing the continuous monitoring for all JAB Authorized cloud products.
JAB Authorization Process
If the JAB path is the selected authorization process, the first major phase is preparation. There are two steps within this phase: FedRAMP Connect and the readiness assessment, which is required unlike in the agency process. As a part of the FedRAMP connect step a CSP must submit the FedRAMP connect business case and then become prioritized to work with JAB. After this the CSP begins the readiness assessment step, beginning with securing an RAR development which is then reviewed by the FedRAMP PMO. Remediation will take place if needed followed by the issuing of the FedRAMP ready designation.
Once the CSP is prioritized for JAB and FedRAMP ready they may begin the authorization phase. The first step involves securing a full security authorization package which includes deliverables such as the SSP, SAP, SAR, and POA&M. After this starts the next step, the JAB authorization process. After a meeting servicing as a review for the offering is held, periods of time dedicated to remediation, review, and a final review take place. After all of this is complete, the JAB will issue the CSP a P-ATO letter in coordination with becoming FedRAMP authorized.
The resources below provide additional guidance on the JAB Provisional Authorization path. Additional technical guidance as well as FedRAMP templates are located on our Documents & Templates page under Resources.
CSP JAB P-ATO Roles and Responsibilities
This document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process.
JAB Prioritization Criteria and Guidance
This document outlines the criteria by which CSPs are prioritized to work with the JAB, the prioritization process, and the Business Case requirements.
FedRAMP Authorization Boundary Guidance
This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP Authorization package.