March 3, 2021

Last Updated on January 13, 2024

FedRAMP is really ramping up as US federal agencies seek to use new cloud services.

FedRAMP, short for Federal Risk and Authorization Management Program, is the US government’s mandated approach to ensuring cloud services are secure enough for agency use. To sell your SaaS, IaaS or other cloud service to federal agencies, you need a FedRAMP Authority to Operate (ATO).

What does it take to get a FedRAMP ATO? And what is the best route to that goal for your company?

To share first-hand insight on the FedRAMP ATO process, Stephen Halbrook, Partner and government compliance lead at Schellman & Co., joined a recent episode of The Virtual CISO Podcast.

There are two basic “on-ramps” to FedRAMP: the Agency authorization process and the JAB (short for Joint Authorization Board) GSA process. “We’ll start with the one that I think is the more direct route, and that is the agency sponsored path,” Steve begins. “It requires commitment from a federal agency prior to heading down the assessment path, and really the intent is that this agency will become a client at the end of the process.”

“And throughout the assessment process, they’ll have some involvement, right?” continues Steve. “For example, before the assessment they may want to see your system security plan, which is where a provider documents the details on their system, and they describe how they’ve implemented all of the 300-plus controls at the [FedRAMP] Moderate baseline.

“Then throughout the assessment, there are some key milestones, like the system assessment plan they’ll want to take a look at. But then most importantly is the security assessment report that gets generated by the assessor at the end of the assessment.”

Based on that report and the risk profile of the system, the agency client hopefully grants an ATO.

The JAB GSA assessment process is more complex than the Agency process. Steve explains: “So with Agency, what we mostly see there is SaaS services, and those tend to be more niche or specialized type services. But then when you take a look at JAB path, that’s where you’ll see a lot of the IaaS and PaaS providers that are authorized. They have JAB ATOs, and the reason for that is that these SaaS providers that I mentioned, that are headed down the agency sponsored path, they’re leveraging these IaaS and PaaS providers for their services and you run into this concept that if something is JAB authorized, it should be leveraging a JAB IaaS or PaaS. If something is Moderate baseline, it should be leveraging a Moderate baseline or higher IaaS or PaaS.”

“I think that helps to explain the difference as far as what services tend to lean towards Agency versus JAB,” summarizes Steve. “I think of JAB as being really a more broad use case of capabilities for the types of services that would go down that path.”

Another complexity of the JAB route is the application process. Each quarter the JAB picks about three organizations to sponsor and take through the ATO process from among those that have submitted applications.

“There’s quite a bit more that goes into JAB,” clarifies Steve. “A CSP puts together their application, and if they get selected by the JAB, they then have to pivot and go through the FedRAMP Readiness Assessment Report (RAR) engagement. The FedRAMP RAR is really maybe the top 10% of the controls in the federal mandate. So it’s a scaled-back assessment that has to be performed by a 3PAO, much like the full assessment. So they get selected by JAB, they have to move into this RAR assessment, and then once they’ve completed that, they then go into a full assessment. So you have this additional step there, the application process, the RAR assessment and then you’re finally caught up with the Agency path, in terms of moving through the full assessment.”

Another key difference between the Agency and JAB processes is that for JAB authorized firms, the ATO is provisional. Steve relates: “Then at the end, there’s a slight nuance to what the positive result is. It’s referred to as a provisional ATO, whereas for the Agency, we talked about that being an actual ATO. So what does provisional mean? The JAB can’t accept the risks associated with the cloud service. It’s really going to be up to the agency that comes along, picks up the package and grants an ATO.”

What about the extent and rigor of the review/authorization process? After all, the JAB “does it every day,” whereas a sponsoring agency may be less experienced.

What’s next?

“To be more specific, it really comes down to accepting risks or findings,” Steve qualifies. “We know that there are things that the JAB just will not accept, whereas an agency is motivated to use this product, so they may have a little more tolerance for findings and risk accepting certain things that we know the JAB is not going to.”

Even once the JAB assessment is complete, there is another hurdle to clear before you get your provisional ATO. “You go through three months of continuous monitoring with the JAB,” describes Steve. “So the CSP is providing their scans, their inventory, their POA&Ms, much like they would do with a sponsoring agency when they’re authorized. But they’re actually having to do that with the JAB for three months before they can even get through and hopefully receive that provisional ATO. So not only do they move through that RAR full assessment, but then they’ll get a little bit beat up during those three months of ConMon.”

That extra time and effort makes the Agency route somewhat quicker and less expensive. “No ConMon, no FedRAMP RAR, no application window that you’re waiting for to open up to apply to,” Steve enumerates.

If you’re looking to get a FedRAMP, you’ll find this podcast with Stephen Halbrook extremely helpful.

To hear the complete episode, click here. If you don’t use Apple Podcasts, you’ll find all of our podcast episodes here.