FedRAMP Tips & Cues – February 20, 2019

This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs) :

Cloud Service Providers (CSPs)

Q: Can a CSP simply go from an Agency ATO to a JAB P-ATO without going through the JAB Authorization effort?

A: A CSP interested in transitioning their Agency ATO to a JAB P-ATO must go through the JAB P-ATO process. Each Agency can accept varying levels of risk, per FISMA, when granting an ATO. The JAB works in a similar fashion, in that they must review the entire authorization package to understand associated risk with the system and make a decision whether or not to issue a JAB P-ATO. The JAB P-ATO provides the Agency community with the assurance that the JAB entities (DoD, DHS, and GSA CIOs) reviewed the package and deemed the risk to be acceptable for Agencies to issue their own ATOs. The JAB cannot accept risk on behalf of any Agency which is why the JAB authorization is titled a “Provisional Authorization.” If an Agency decides to use a system with a Provisional Authorization, the Agency will need to issue its own ATO letter to indicate that they accept the risk associated with using the system. We ask that these ATOs are sent to info@fedramp.gov for record-keeping and incident response notifications. A JAB Provisional Authorization may not necessarily be optimal for every system and every CSP. In general, the JAB grants Provisional Authorizations for those systems leveraged government wide. FedRAMP was designed with the objective to authorize a system once and reuse that authorization many times. If a CSP only has one or two Agency customers showing interest in using their system, it is just as efficient for the CSP to obtain an authorization directly through the one Agency of interest.

Cloud Service Providers (CSPs)

Q: How long will it take for Joint Authorization Board (JAB) reviewers to provide review comments after a Deviation Request (DR) or Significant Change Request (SCR) submission?

A: JAB reviewers have a 2 week Service Level Agreement (SLA) period to respond and provide review comments for DRs and SCRs.

More Information

Read more about this week’s FedRAMP’s Tip and cues here

Free Chatbot Call-To-Action