As we discussed in our FedRAMP compliance article, there are two paths to obtain a FedRAMP Authorization to Operate (ATO). The first option is to obtain a FedRAMP ATO from a specific government agency, and the second option is to receive a FedRAMP Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB).
The JAB must issue a P-ATO because they are not authorized to accept risk for any federal agency. Each federal agency has an Authorization Official (AO) whose responsibility it is to make risk decisions for the specific agency.
A JAB P-ATO, though, represents the “high water mark” from the assessment perspective and is a more stringent process as the intent is that the risk of a specific cloud service provider (CSP) has been assessed and approved by the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).
Selecting which route to take is an important decision for a CSP, and there is much to consider between the two different paths. Read on to gain a better understanding of the effort involved for the two paths to achieve a FedRAMP ATO and which path may be best for your cloud service offering (CSO).
What Is Involved in a FedRAMP Agency Authorization?
When deciding which path to take — agency authorization or JAB provisional authorization — it is important to understand the scope of the authorization.
With an agency ATO, the scope of the authorization pertains to just that specific federal agency. That said, other agencies can leverage the authorization package from the initial authorization. To address any concerns from a risk perspective, any subsequent agency can request additional testing be performed before issuing a subsequent ATO for their organization.
With an agency authorization, the federal agency points of contact (to include security personnel), the CSP, and the FedRAMP PMO are involved with the assessment process. As early as possible, CSPs need to establish partnerships with federal agencies that have intent to use the CSP’s CSO. The federal agency contacts the FedRAMP PMO and formalizes the relationship by sponsoring the CSP through the FedRAMP process. Once this occurs the kickoff meeting can be scheduled.
As part of the assessment planning activities, the federal agency should read, comment, and approve the CSP’s System Security Plan. If there any additional requirements above the identified FedRAMP control baseline, it is the responsibility of the federal agency to identify them up front and early, so the CSP can address the additional controls. CSPs incorporate any comments from the federal agency into the SSP.
Agency personnel are also responsible to review, comment, and approve the Security Assessment Plan (SAP) prior to the start of the formal assessment and the Security Assessment Report (SAR) and Plan of Action and Milestones (POA&M) as part of the post-assessment activities. CSPs incorporate any comments from the federal agency into the POA&M. Upon determination that the CSP’s CSO operates with an acceptable risk posture, the federal agency will issue an ATO.
Before the CSP is listed on the FedRAMP marketplace as having a FedRAMP authorization, the FedRAMP PMO will review all assessment artifacts and make a determination regarding authorization. The CSP must also provide the FedRAMP PMO with feedback on the Third Party Assessment Organization (3PAO) before they can be listed on the FedRAMP marketplace.
What Is Involved in a FedRAMP Joint Authorization Board (JAB) Authorization?
The scope of a JAB provisional authorization extends to the entire federal government. The intent is that the DoD, DHS, and GSA assess the risk posture of a CSP on behalf of all government agencies. Each federal agency, however, is responsible to issue their own ATO indicating their acceptance of risk, whether it be for an agency ATO or in support of a JAB P-ATO.
To obtain a JAB provisional authorization two significant steps are required in addition to the “standard” process described in the agency authorization process. These two steps are the FedRAMP Connect process and the FedRAMP Readiness Assessment.
The FedRAMP Connect Process
The FedRAMP Connect process is the means by which the JAB’s resources are prioritized and CSOs are selected to go through the JAB provisional authorization process. Each CSP targeting a JAB P-ATO must complete a business case which details the service offering and attempts to set the CSO apart from other services competing for a JAB P-ATO. As part of the FedRAMP Connect process, the JAB evaluates each CSO against three criteria: Demand, whether the CSO is FedRAMP Ready, and other preferred characteristics of a CSO. The primary element of the evaluation, though, is demand for the CSO. The greater the demand a CSP can demonstrate the more likely they are to be selected as part of the FedRAMP Connect process.
Demand is broken down into three areas: direct demand, indirect demand, and potential demand. Direct demand (or current use) is demonstrated by how many unique federal agencies are currently using a CSO. Indirect demand is indicated by how many currently FedRAMP authorized CSPs are using a CSO. Potential demand is the CSP’s projection of the adoption of the CSO within one year, should the CSO receive a JAB P-ATO. CSPs can substantiate their perspective of potential demand by providing information on the use of an on-premise product in use by government agencies, the extent of current use by other government entities (e.g. state and local governments), or documented requests (e.g. through RFIs, RFPs), etc.
Since the JAB only selects 3 CSPs per quarter, there is a lot of competition. If a CSP is not selected in a round of the FedRAMP Connect process, they will have to wait until the next quarter (with new competitors) to try again. One important note to consider is if a CSP does not own its own infrastructure (e.g. IaaS and PaaS stack), then it must utilize IaaS and/or PaaS providers that already have a JAB P-ATO.
The Readiness Assessment
The FedRAMP Readiness Assessment is an attestation by a FedRAMP 3PAO that a CSP’s cloud service offering meets a defined set of federal mandates and specifically defined or key controls such as the use of validated cryptographic modules, the use of Transport Layer Security v1.1 or greater, the use of multi-factor authentication, support for PIV/CAC credentials, auditing, incident response, etc. Every CSP that goes through the JAB P-ATO process must pass a FedRAMP Readiness Assessment. Passing the FedRAMP Readiness Assessment is not a pre-requisite for selection in the FedRAMP Connect process, but it is a significant factor in the decision process. If a CSP is selected for the JAB P-ATO process, but it is not FedRAMP Ready at the time of selection, they must achieve FedRAMP Ready within 60 days of being prioritized in the FedRAMP Connect process. The FedRAMP Readiness Assessment is not a required step in the agency authorization process.
Once a CSP has been prioritized as part of the FedRAMP Connect process and has achieved FedRAMP Ready status, then they will complete the assessment process with a 3PAO. Once the assessment process is complete, there will be a kickoff meeting for the actual JAB authorization process where the assessment results will be evaluated and remediation activities will be performed prior to the final evaluation and award of the P-ATO.
Which FedRAMP Authorization Path is Recommended?
As CSPs contemplate committing to the FedRAMP authorization process, they will need to decide whether the agency or JAB path is right for them. Depending on the demand for the CSP’s cloud service offering, it can be a difficult decision. The scope of the JAB P-ATO covers every federal agency, but an an agency ATO covers just a single federal agency.
In my opinion, a CSP should pursue an agency ATO vice a JAB provisional authorization for the following reasons:
- Being prioritized as part of the FedRAMP Connect process is difficult to achieve, and a CSP may have to wait for several rounds before they are prioritized thus delaying federal sales of the cloud service offering.
- The FedRAMP Readiness Assessment is not required as part of the agency authorization path. While achieving the FedRAMP Ready status does signal to federal agencies that a CSP is likely to successfully achieve a FedRAMP authorization, it does require additional financial resources and schedule.
- The agency authorization process generally takes less time than the JAB provisional authorization process. This will allow the CSP to be listed on the FedRAMP marketplace faster.
- Additional federal agencies can leverage the initial authorization package in support of an ATO for their agency. As of this blog post, two CSPs have over 30 agency authorizations apiece for their CSO.
Whether a CSP decides to pursue a FedRAMP agency authorization or a FedRAMP Provisional Authorization from the JAB, they should plan on a rigorous journey. There are advantages to both paths, but one path may allow a CSP to reach the government market faster. Whichever path a CSP takes to achieve FedRAMP authorization, they will have achieved a significant milestone. If you would like to learn more about how Linford and Company can assist your organization regarding either FedRAMP advisory or assessment services, please contact us.
If you are looking for additional information regarding FedRAMP, read our other blog posts here:
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Introduction to the Federal Risk and Authorization Management Program
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP Compliance: What is it? Requirements, Process, & More
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.