RETHINKING THE ASSESSMENT PROCESS
The FedRAMP program management office has a new plan for moving cloud service providers through the Joint Authorization Board review.
OLD JAB REVIEW PROCESS
FedRAMP ACCELERATED
System Security Plan
CSP and FedRAMP information system security officer (ISSO) review documentation of security controls before submitting to JAB. CSP addresses JAB concerns and resubmits as needed.
System Assessment Plan
Third-party assessment organization (3PAO) drafts a plan for testing CSP’s compliance with FedRAMP requirements. ISSO reviews plan before submitting to JAB. CSP addresses JAB concerns and resubmits as needed.
Testing
3PAO tests CSP’s system and creates a Security Assessment Report.
Security Assessment Report
CSP and ISSO review the report before submitting to JAB. CSP addresses JAB concerns and resubmits as needed, then creates a final Plan of Action and Milestones.
Authorize
Final JAB review and sign-off on provisional authority to operate.
Readiness Assessment Report
3PAO assesses CSP’s system to identify potential gaps in security controls, recommends adjustments and then drafts a report for the FedRAMP PMO’s review.This step is far less involved than a full- blown Security Assessment Report and should take just a few weeks.
FedRAMP Ready review
The FedRAMP PMO reviews the Readiness Assessment Report and, barring questions about the 3PAO’s conclusions, declares the CSP FedRAMP Ready. PMO has pledged one-week turnarounds on these reports.
Security Assessment Report
3PAO and CSP can now move forward with a Security Assessment Report, which must be fully completed before submitting to JAB for review.The time required for this step depends almost entirely on the CSP and 3PAO.
JAB review and authorization
JAB reviews the Security Assessment Report. CSP addresses JAB concerns as needed before provisional authority to operate
is granted.The goal is to complete these reviews within three months.
Agency review process
Agency authorizations are unchanged for now and similar to the old JAB process.
CSP Supplied process
This path to FedRAMP compliance has been discontinued as of April 29.
May 15, 2016 FCW.COM 17
9-18 MONTHS OR MORE
3-6 MONTHS