The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB reviews and provides joint provisional security authorizations of cloud solutions using a standardized baseline approach. Chief Information Officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration serve on the Joint Authorization Board (JAB).
Below are the FedRAMP duties and responsibilities for the JAB.
Define FedRAMP security authorization requirements
Approve accreditation criteria for third party assessment organizations
Establish a priority queue for authorization package reviews
Review FedRAMP authorization packages
Grant joint provisional authorizations
Ensure that provisional authorizations are reviewed and updated regularly
compliance regulations. 3PAO stands for Third Party Assessment Organization.
A 3PAO evaluates a cloud provider's systems to ensure transparency between government and cloud providers and consistency in data security strategies. Certified 3PAOs use FedRAMP templates when performing security assessments.
The U.S. General Services Administration (GSA) website lists the following requirements for qualification as a 3PAO:
Information assurance competence that includes experience with FISMA and testing security controls.
Competence in the security assessment of cloud-based information systems
Assessors perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements. Once engaged with a CSP, independent assessors:
Complete a Security Assessment Plan (SAP)
Perform initial and period assessments of cloud system security controls
CSPs wanting to meet FedRAMP requirements through the JAB P-ATO path or CSP submitted path must be assessed by an
accredited assessor. To become an accredited assessor, candidates must submit application materials demonstrating that they meet both technical competence in security assessment of cloud systems and management requirements for organizations performing inspections.
Federal agencies utilize cloud systems as means of cutting long terms cost while achieving the benefits of utilizing the cloud environment as described below:
• On-demand self-service. The ability for an end user to sign up and receive services without the long delays that have characterized traditional IT
• Broad network access. Ability to access the service via standard platforms (desktop, laptop, mobile etc)
• Resource pooling. Resources are pooled across multiple customers
• Rapid elasticity. Capability can scale to cope with demand peaks
• Measured Service Billing is metered and delivered as a utility service
Federal Agencies that build an application (SaaS) or platform (PaaS) on a third-party cloud environment providing Infrastructure (IaaS) are required to ensure that security controls are identified (NIST SP 800-53 Rev. 4), accounted for and meet FedRAMP requirements.
On the commercial side, startups, mid-size companies and Fortune 500 companies all seek to obtain FedRAMP compliance in order to reap the business rewards of selling their services to the Federal government.
These commercial organizations have created environments either via an Infrastructure (Iaas), Platform (PaaS) or Software / Application (SaaS) environment which provides a unique service in which federal governments agencies can utilize efficiently and assist obtaining the mission of the agency.
Although these organizations are considered, non-federal by nature, they are required to meet the security requirements entailed by the FedRAMP Compliance Framework as means of providing these services to the Federal Government.
These commercial agencies will need to identify within the System Security Plan, the delineation of responsibilities of security controls as it relates with the services the provide as well as the for the customer.
All of which is documented thoroughly to ensure security risks are identified, responsible parties are meeting their specified responsibilities and both the organization and customer (in this case, the Federal government) have accounted for security and information assurance in the System Development Life-Cycle of a given information system or the infrastructure supporting the system.
The team at zodtech Inc. has over 30+ years of Federal Security Compliance and Information Assurance experience primarily focused on NIST, FIPS, OMB, FISMA and FedRAMP standards / regulations.
zodtech has supported many of the federal government agencies which has propelled the team to have a wide outlook of supporting compliance activities in a manner that meets customer expectations while providing a long-term strategy for managing risks through the lens of the Risk Management Framework process.
zodtech is comprised of individuals who have supported all the different spokes of the FedRAMP cycle and therefore understand what needs are required to be met in order to achieve FedRAMP certification.
zodtech has identified the 4 spokes of FedRAMP as the following: