June 23, 2023

Last Updated on January 12, 2024

There are basically two “on-ramps” to a Federal Risk and Authorization Management Program Authority to Operate (FedRAMP ATO): the Joint Authorization Board (JAB) process and the agency-sponsored authorization process. Which is right for your organization?

Mike Craig, CEO at Vanaheim Security, explains why you might want to choose the more common agency-sponsored route or the more arduous JAB route.

What is the JAB?

The JAB is FedRAMP’s main governing and decision-making body. It consists of the Chief Information Officers (CIOs) from the “big three” US federal agencies that initially created FedRAMP: the US Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA).

The JAB’s responsibilities include:

  • Reviewing authorization packages for cloud services
  • Granting provisional authorizations for cloud services
  • Defining and periodically updating the FedRAMP requirements

Another big player in the FedRAMP approval process is the FedRAMP Program Management Office (PMO). This is where you actually send FedRAMP ATO applications. The PMO works behind the scenes with agency sponsors and the JAB. They also run the FedRAMP Marketplace.

Why the agency route is usually easier

when your org has been selling a SaaS offering to a specific US government agency, and they agree to sponsor you because they want to continue to use your solution. So, you’re leveraging a relationship you already have in place.

On the other hand, just a few JAB authorization candidates are selected from the entire pool of applicants for the year, based on published priority queue requirements to bring new cloud SaaS, IaaS, and/or PaaS systems under management. So, getting to a JAB review is not a given.

“It’s much longer, it’s much harder, and the controls are more exacting,” advises Mike. “With gray areas and interpretations, they have a much stricter stance than most agencies.”

The big risk with the agency route

But there’s a big potential risk with agency sponsorship. If you ever lose your sponsoring agency as a client, even if you’re selling to other agencies by then, you’d lose your only FedRAMP ATO and would need to go through the process all over again to keep your government business. A JAB ATO is less tied to a single agency.

A CSP must have at least one ATO on file with the FedRAMP PMO to maintain its Authorized designation on the FedRAMP Marketplace. This ensures that at least one agency has oversight of the CSP’s continuous monitoring activities. If a service offering loses its only ATO, it can stay listed as FedRAMP Ready on the FedRAMP Marketplace for up to 12 months while the company seeks a new ATO with new agency sponsor.

What’s next?

For more guidance on this topic, listen to Episode 120 of The Virtual CISO Podcast with guest Mike Craig from Vanaheim Security.

SOC 2 Cliffnotes for SaaS Firms

Download SOC 2 Cliffnotes for SaaS Firms.