The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) announced this week that it is moving away from defining different tiers of authorizations and toward one designation of “FedRAMP Authorized.”
The shift is a part of FedRAMP’s larger overhaul of the program, which includes replacing the program’s Joint Authorization Board (JAB).
Previously, cloud service providers (CSPs) were able to seek authorization for FedRAMP either through the JAB or agency authorization.
“Going forward, all authorized CSPs will be considered FedRAMP Authorized, regardless of path,” FedRAMP wrote in an Aug. 12 blog post. “In the next few weeks, FedRAMP will remove the ‘authorization path’ filter on the FedRAMP Marketplace and as a Marketplace data element. CSPs that have received a JAB Authorization will have this historic status included in their Marketplace description.”
The JAB was created at the onset of FedRAMP in 2011, consisting of chief information officers (CIOs) from the Departments of Defense (DoD) and Homeland Security (DHS), and GSA. However, GSA announced in May that the JAB would transition to the FedRAMP Board. Each of DoD, DHS, and GSA continue to have senior officials on the new board, and they are joined by officials from several other agencies.
FedRAMP explained that continuous monitoring for JAB-authorized CSPs will initially be at one of the former JAB agencies – DoD, DHS, or GSA – or with FedRAMP itself.
“We expect to migrate [continuous monitoring] for CSPs not used by a former JAB agency to another agency customer,” FedRAMP wrote. “We are coordinating with the agencies using these JAB-authorized CSPs to identify those who can take on [continuous monitoring] activities.”
“FedRAMP and existing GSA, DOD, and DHS [continuous monitoring] teams will provide transitional support as systems are transferred to new lead agencies,” it added.
FedRAMP noted that several CSPs were in the process of getting JAB authorization but that was paused when the transition away from JAB began. FedRAMP said it will continue to work with all cloud services that are still seeking a path to authorization.
FedRAMP plans to hold a dedicated, virtual Q&A session for CSPs that were prioritized by or authorized by the JAB today at noon. It will also publish an FAQ on the JAB transition in the coming weeks.
