The government doesn’t often move quickly, but when it moves, the changes it makes tend to have long-term and far-reaching ripple effects throughout business and industry. That’s true whether it’s a policy decision, a financial decision, or a restructuring of an organization, and it will always be true at the scale the federal government operates.
One recent change in the world of government cybersecurity is a change to how FedRAMP operates. The JAB, formerly the board in charge of administering the program and a key part of one of the approval processes, is no more. It has been replaced with a new board and a new process.
So, what happened, what changed, and what do you need to know? We’ll start from the beginning.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontFedRAMP has removed the Joint Authorization Board (JAB) and its P-ATO process to streamline cloud service provider (CSP) authorizations through a unified Agency ATO process. This change simplifies obtaining multiple agency contracts by relying on a CSP's existing authorization status. The new FedRAMP Board supports ongoing authorizations and introduces automation and agile development to reduce audit processes. Centralized documentation remains crucial, and platforms like Ignyte can assist CSPs in maintaining compliance.
What Was the FedRAMP JAB?
The Federal Risk and Authorization Management Program, FedRAMP, was formerly administered by a small group of people called the JAB, or Joint Authorization Board. This Board was one of the teams that provided input and guidance for the direction and administration of the FedRAMP program. They worked alongside the Program Management Office and other stakeholders.
The JAB was not the sole authority in control of FedRAMP. It was one of several groups that met to guide and administer the program, alongside others like the Federal Secure Cloud Advisory Committee, the General Services Administration, the Office of Management and Budget, and even the Department of Homeland Security. After all, federal information security is a serious topic that touches every other aspect of modern government.
What Was the JAB Process?
Up until late last year, there were two ways to achieve accreditation through FedRAMP. These were the ATO or Agency Process and the P-ATO or JAB Process.
The ATO process worked like this. A cloud services provider who wants to have a contract with the federal government would need to achieve a certain level of security to handle controlled unclassified information. To do so, they would need to meet or exceed the standards laid out in the FedRAMP program according to the NIST special publication 800-53.
The key is that, in order to achieve an Authority to Operate from the FedRAMP program, the CSP would need to apply and pass an audit performed by a FedRAMP-authorized C3PAO. In order to apply, the CSP would need an agency sponsor.
An agency sponsor could be a sub-agency like the Census Bureau or the Federal Aviation Administration, or it could be a top-level agency like the Department of the Interior or the Department of Justice. As long as it’s an agency of the federal government, it can be a sponsor.
The idea is that the government doesn’t want every cloud service out there to try to achieve FedRAMP authorization, even if they don’t need it. It would hammer the program and get in the way of the most important CSPs, while also devaluing the security standard’s name. So, an agency has to say, “Hey, if this CSP can achieve authorization, we’ll have a contract ready for them.”
The downside of this process is that it’s agency-specific. If a CSP gets an authority to operate with one agency, and another agency wants to work with them as well, that other agency has to also sponsor them, and they have to go through another audit process. It’s a lot easier the second time – the majority of the work is already done – but it’s still an additional, mostly overlapping process.
One way around this was the JAB process for a Provisional Authority to Operate. With this process, the JAB itself would act as the sponsoring agency and lay the groundwork to get the CSP its authority to operate.
While this could help speed up the process for a lot of larger CSPs that would want to work with numerous government agencies, it was also a separate process, and it still didn’t provide a full ATO; a CSP would still need to go through at least the partial ATO process with an agency for a contract later.
What Happened to the JAB?
In July of 2024, the Office of Management and Budget issued the “FedRAMP memo”, known officially as M-24-15, Modernizing the Federal Risk and Authorization Management Program. The memo, found here, replaces a 2011 memo and lays out a bunch of modernization tasks for FedRAMP over the coming years.
One of the goals of the memo is to streamline some of the unnecessary overlap between the ATO and P-ATO processes. By doing away with the JAB and the JAB P-ATO process, and pushing every cloud service provider through the standard Agency ATO process, they create less division and less confusion between authorization options.
If you run a CSP and you ever wondered whether you would need to go for an ATO or P-ATO, did a bunch of research, and came out with no better idea than you started, you’re a good example of why the process is being streamlined.
The JAB was itself also somewhat limited in scope, being a small group of people with limited influence from the broad spectrum of stakeholders who would have an interest in the administration of FedRAMP.
With this memo, effective August 2024, the JAB has been replaced with a new FedRAMP Board. The FedRAMP Board is slightly larger, meets more often, and represents a wider range of interests to provide more accurate guidance for the FedRAMP program’s development.
What Happened to the JAB Process?
If the JAB is dead, what happened to the JAB P-ATO process?
As you might expect, this, too, is dead.
The goal, moving forward, is to bolster Agency ATOs to be more robust and more reciprocal. Essentially, the ideal end state is for the Agency ATO to be more like a P-ATO, with a presumption of trust and effectiveness associated with the CSP passing the auditing process.
Basically, unless the CSP is working at FedRAMP low impact for their current agency and is aiming for moderate at another, or moderate at their current and high at another, there shouldn’t need to be a whole extra ATO process. If they can pass the Moderate ATO for one agency, they should be able to pass the Moderate ATO process for another agency without the need to redo a lot of work specifically for that agency.
Answering Questions About the New FedRAMP Process
You likely have a lot of questions about what has changed for the new FedRAMP administration and process. We’ll do our best to answer the ones we can, and point you in the direction of answers for anything we can’t. If you have a question we haven’t answered, feel free to let us know or reach out and ask.
What happens to any CSP partially through the JAB Process?
This memo was fairly abrupt and came without a lot of warning. There were a decent number of CSPs who were currently working with the JAB for their P-ATOs. With the removal of the JAB and the JAB process, the authorization process for these CSPs was stalled out.
What happens next for these CSPs?
If you’re one of them, you already know. The new FedRAMP Board was very proactive in discussing the next steps for everyone in this stage of the process. But if you were not one of those agencies but were interested in how it’s being handled, it’s fairly sensible.
While there was some delay, the new FedRAMP Board is temporarily taking up the position of the JAB for the purposes of these authorizations. No new CSPs are able to apply for JAB-equivalent processes, but those already working through it are supported while they finish and will be given the new equivalent of a P-ATO until they get an agency contract. Once they get that contract, they’ll transition to an Agency ATO and will continue from there.
This path might open up later. The FedRAMP publication says:
“In the short term, this path will be for CSPs who were either queued or prioritized to work with the Joint Authorization Board (JAB), with a future focus on building out criteria and an approach for opening this path market-wide.”
There’s no firm timeline or structure to this yet, however, so if you’re banking on it happening sooner rather than later, you may be left waiting.
If you’re a CSP that had already passed the JAB process and received a P-ATO, this removal of the JAB will throw a few things into question. Most notably: what happens to JAB-specific artifacts like approval letters?
With the replacement of the P-ATO with the ATO, any CSP that was JAB-authorized will simply need to work with their agency partners moving forward. Ideally, individual approval letters won’t be necessary moving forward, continuous monitoring validation will be picked up as it is with agency ATO CSPs, and recertification will be done along ATO lines.
Relatively few CSPs are JAB-authorized but have no agency contracts. These end up in a state of limbo until they get their first agency contract, at which point the usual ATO process takes over.
Additionally, the new FedRAMP governance group is working to create a multi-agency version of continuous monitoring documentation, which provides templates that multiple agencies can use. This allows CSPs to report the results of their ConMon once, and multiple agencies to view those results.
How does this new change streamline the Agency ATO process?
Removing P-ATOs sounds like it doesn’t actually streamline anything, but there are other changes in the memo that push in that direction.
One is, as mentioned directly above, the exploration and potential development of a P-ATO-like process to open up market-wide. If and when that happens, it would significantly broaden the horizons of every FedRAMP-authorized CSP.
Another is an emphasis on new, agile development in the FedRAMP administration. FedRAMP has launched an Agile Delivery Pilot, which is aimed at testing new processes for evaluating and auditing security standards across cloud service offerings. The idea is that if a CSP makes changes that would normally need a new audit to validate, a micro-audit of just the features might be valid instead; similarly, if they want to expand to a new contract, a new full ATO isn’t necessary.
The memo also emphasizes a new push to increase automation in the authorization process. They launched a new hub, automate.fedramp.gov, as a hub for documentation supporting CSPs through the ATO process. They have based their documentation framework on Open Security Controls Assessment Language (OSCAL) for a standardized and machine-readable way to help aggregate and process documentation. This alone has the potential to alleviate immense costs and workloads in the Agency ATO process.
I’m a CSP using the normal Agency ATO process. What has changed?
For you? So far, very little. It’s essentially all upside; there are new elements of automation and agile development that help streamline your overall authorization process. Recertification will be faster and easier. And, if you go for another agency contract, you’ll be able to do so with a lot less hassle.
If you were hesitating on bidding on another government contract because of the work involved in juggling multiple agency ATOs, you have a better opportunity now.
How Ignyte Can Help
One quirk of how the new One Authorization paradigm works is that, while reciprocal trust and standardization take the forefront, there is still a need for well-maintained and centralized documentation. In fact, if anything, it’s even more important to make sure you have all of your documentation and artifacts in one place, because each agency you may want to work with will have its own interest in it.
The Ignyte Assurance Platform was designed for exactly this kind of situation. As a centralized platform, it assists you in accumulating all of your relevant documentation in one place and is ready to slot right into the new OSCAL-based automation setup that FedRAMP is beginning to use. All of this helps streamline your ability to achieve an agency authorization, whether it’s with a single agency or with multiple.
To see how Ignyte can work for you, simply book a demo today, and we’ll show you around.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.