JAB or Agency: How Do I Get a FedRAMP ATO?
“Should a CSP pursue JAB or agency authorization?” That is probably one of the most common questions the PMO receives. And most would be surprised by the answer: for a majority of providers, an agency authorization is the most appropriate route.
FedRAMP’s primary goal is to bring as many secure, multi-tenant, and unique cloud tools to the FedRAMP Marketplace. Both JAB and agency authorization receive a security assessment based upon a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls. This means JAB and agency authorizations should be secure and fit for federal data. But what about “necessary” and “unique”?
A cloud system that is multi-tenant in nature and has a broad use case of capabilities is exactly the kind of cloud that should pursue JAB authorization. The JAB reviews clouds that can and are being used government-wide. So if a CSP is considering JAB authorization, they should definitely take into consideration the amount of federal interest in their service and the depth of use cases across the government.
If only one or two agencies are interested in a CSP’s cloud product or the cloud was designed specifically for a particular agency, then agency authorization is a better fit. Agency authorizations are targeted for niche cloud services that may only be used by a singular agency. Clouds that are unique to a particular agency provide a great benefit to that agency, but is not a good option for JAB authorization.
However, this is what makes an agency authorization so valuable! Agencies are able to issue authorizations to cloud services on an as-needed basis. And once that service is listed as a FedRAMP Authorized product, other agencies will also be able to leverage the provider’s niche service if another agency has a similar need.
The decision to pursue JAB or agency authorization depends on if the cloud is multi-tenant and has broad use across many agencies or if it is unique to a few. While there two routes to authorization, the end goal of JAB and agency authorizations are the same , increasing the amount of secure and diverse cloud products that are available to the federal government.