FedRAMP is the program for Cloud Service Providers (CSPs) to gain access and sell to Federal Agencies. By law, agencies can only buy cloud products through the FedRAMP marketplace. It is very important to understand the entire framework and process before applying. Check out our complete FedRAMP guide for the certification and complianceprocess.
What Is A JAB P-ATO?
JAB P-ATO is one of two paths to secure FedRAMP Authorization, which enables CSPs to sell cloud services to agencies. The Joint Authorization Board (JAB) is the governing body that includes the Chief Information Officers from the General Services Administration (GSA), the Department of Defense (DoD), and the Department of Homeland Security (DHS). It sets government-wide security baseline requirements for cloud programs.
This committee also authorizes up to twelve cloud products each year. It specifically focuses on offerings that have wide use cases. There also has to be enough demand from agencies. From a security standpoint, the product must be for High or Medium impact level. A JAB authorization is the gold standard since the process has to consider risks across all federal agencies. Agencies can be confident in the security of these products.
Should You Pursue a JAB P-ATO?
The JAB P-ATO is a highly competitive process. The JAB reviews up to twelve offerings each year. Most cloud providers want to pursue this path because it provides the broadest designation. The issue is that most won’t qualify. Only products that have the highest chance of success will go through this since there are so few spots.
Here is a checklist for a JAB P-ATO:
- Broad use cases
- Proven, existing demand from agencies
- Commitment to see through the entire process
- Invested and built out security infrastructure to meet High or Medium baseline
- Understand that Medium baseline has 325 security controls
- Understand that High has 421 security controls
- Secured FedRAMP Ready status before applying (not required, but most do so in practice)
One key prerequisite is that the product has to have broad use cases. So a vendor must show existing demand across agencies. Unfortunately building relationships with agencies can take years to build.
A vendor has to be very committed to going through the process. This requires millions in investment to meet the security requirements. The JAB only considers those with Medium or High impact levels. These levels indicate the risk agencies face if the offering has a security breach. Medium equates to a serious impact while High is a severe or catastrophic impact. There are so many security controls because of the data sensitivity. So there is a very high bar to meet.
The best way to show commitment is to work with a third-party assessor and secure a FedRAMP Ready status. This signals to the JAB that you have a high chance of succeeding in getting Authorization.
How Long Does The FedRAMP Authorization Take Under P-ATO?
A FedRAMP JAB P-ATO Authorization takes anywhere from 6-9 months after applying. It’s important to note that speed is dependent on the cloud service provider itself. After applying, the CSP has 60 days to get a FedRAMP Ready status. The CSP can get this designation before applying for the P-ATO. So the CSP can shave two months off the process. In fact, the PMO recommends getting FedRAMP Ready before applying. This signals that the vendor is serious and has a higher chance of success. The Full Security Assessment takes approximately one month, depending on the speed of the CSP and 3PAO. The Authorization Process, led by the FedRAMP PMO, takes 4-5 months.
But it takes resources to be in a strong position to apply. It can take years and millions of dollars of investment to build out a platform that meets the requirements under FedRAMP. The CSP must also show sufficient agency demand to justify its application. It can take a very long time to develop these relationships and create demand.
Preparation is the key to success. It’s important to secure FedRAMP Ready status before applying for a JAB P-ATO. This signal is crucial for getting the best chance to gain one of the limited spots. This could take a quickly as a month if the system already meets all the security controls. But it could take years to develop all the controls if it’s a new product.
One key area that most vendors miss is that it’s easier to build upon a FedRAMP Authorized product. If a vendor uses AWS for its infrastructure, then it doesn’t have to worry about the security at this layer. AWS US East is currently Medium impact, so applications will inherit this impact level for its infrastructure. Applications can apply up to Medium, but not High since the underlying IaaS layer is not authorized for High. If a vendor uses its own infrastructure, it must certify that its infrastructure meets hundreds of security controls.
Most successful products leverage existing Authorized products. Most leverage AWS, GCP, Azure or IBM for the infrastructure. Most leverage Box for any content, file or document storage. This enables the vendor to just focus on its core product without worrying about other dependencies.
Phase 1: Readiness Assessment
This is the phase where vendors have to make a Business Case submission through FedRAMP Connect under the JAB Prioritization Criteria and Guidance document. Due to resources constraints, the JAB can only authorize a limited number of Cloud Services Offerings (CSOs) a year. In fact, they aim to select only up to 12 CSPs each year. It is a highly competitive process. The JAB wants to make sure that they choose those with the greatest impact and highest chance of getting through the process. There is a lot of pre-work a CSP needs to complete before a submission.
The main criteria is that there has to be agency demand for the product. Proof includes usage from current federal customers; indirect customers; State, Local, and Tribal customers; and potential demand via responses to federal agencies’ RFIs, RFPs, and RFQ.
If the JAB accepts the submission and assigns priority, then the CSP has 60 days to obtain the FedRAMP Ready designation. But in practice, most vendors have already obtained the Ready status beforehand. The JAB doesn’t want to give priority if there’s risk to getting FedRAMP Ready. It has limited resources. It would be waste of time if the vendor failed the certification process. Vendors need to come prepared. The JAB wants vendors who have the highest chance of getting FedRAMP authorization.
In practice, the CSP needs to be FedRAMP Ready before the case submission. So the CSP needs to work with a 3PAO to complete a readiness assessment of its service offering. The 3PAO must issue a Readiness Assessment Report (RAR). This report assesses the chance of success in getting authorization. This is important feedback for the PMO and Agencies. The PMO reviews RARs within one business week of submission. Once the PMO deems the RAR satisfactory, the CSO will receive FedRAMP Ready status. Then the FedRAMP Marketplace will advertise this designation.
Phase 2: Full Security Assessment
Once the JAB prioritizes the CSO and is FedRAMP Ready, the CSP will go through the security assessment. A security assessment is a one month process. The CSP must first complete the System Security Plan (SSP). It must also engage a 3PAO to develop a Security Assessment Plan (SAP).
The 3PAO conducts a full security assessment and issues a Security Assessment Report (SAR). A SAR identifies and details all risks in the system. With this report, the CSP develops a Plan of Actions and Milestones (POA&M) to track and manage those system risks.
The SSP, SAP, SAR and POA&M must be completed using FedRAMP templates and submitted together. The FedRAMP PMO will then work with the CSP and 3PAO to conduct a completeness check and coordinate the JAB kick-off meeting. They must submit a finalized package one week prior to kick-off.
Phase 3: Authorization Process
The Authorization Phase lasts about 3 months. There is a kick-off meeting with the JAB, FedRAMP PMO, the 3PAO, and the CSP’s authorization team. As a group, they deep dive into the service offering, system architecture, security capabilities, and risk posture. This is typically done with a set of briefings and informal Q&A. The outcome will be a “go” or “no-go” decision to proceed with the authorization phase.
Then the JAB conducts an in-depth review of the security authorization package. The CSP and 3PAO support JAB Reviewers. There are regular meetings with the 3PAO, PMO, and JAB Reviewers. This is a very collaborative process. It’s important that the CSP and 3PAO address questions timely.
During the review, the CSP must submit monthly continuous monitoring (ConMon) deliverables (scan files, POA&M and up-to-date inventory). These must adhere to FedRAMP requirements for continuous monitoring and vulnerability scanning. The first ConMon delivery must go with authorization package delivery, one week prior to the kick-off meeting. That establishes the monthly cadence. The second ConMon delivery must occur within 30 days of the first.
After the JAB review, the CSP and 3PAO remediate all system and documentation issues. They must fully address all JAB Reviewer comments and questions. Once the JAB Reviewers have reviewed and validated the remediation efforts, the CSP will receive a P-ATO decision and formal authorization of their CSO from the FedRAMP PMO.
A JAB P-ATO does not mean the PMO takes responsibility, risks or failures of the system. It’s an assurance that the risk posture of the system has been reviewed and approved by DoD, DHS, and GSA. Each Agency planning to use the CSO must then review and issue their own ATO. This review must cover their Agency’s specific use of the cloud service.
Securing a JAB P-ATO opens up the broadest market opportunity for cloud vendors. The authorization process is very thorough and requires huge amounts of time and investment. One key strategy to success is to leverage existing FedRAMP Authorized products. Many use an existing IaaS solution from one of the large infrastructure providers. Almost all SaaS products that use content, documents, files or workflow should leverage Box, which has had FedRAMP Authorization for multiple years.
Learn more about what Box has to offer
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.