From 9fa74928109f03319202d151b48607613737c74a Mon Sep 17 00:00:00 2001 From: Ryan H Date: Wed, 9 Oct 2024 13:43:13 -0400 Subject: [PATCH 1/2] Update about-marketplace.html Remove all JAB references. --- _layouts/about-marketplace.html | 57 ++++++--------------------------- 1 file changed, 9 insertions(+), 48 deletions(-) diff --git a/_layouts/about-marketplace.html b/_layouts/about-marketplace.html index e0219f84..ae638854 100644 --- a/_layouts/about-marketplace.html +++ b/_layouts/about-marketplace.html @@ -154,7 +154,7 @@

Highlights of FedRAMP Ready:

Achieving FedRAMP Ready

-

FedRAMP Ready is required for CSPs pursuing a Provisional Authority to Operate (P-ATO) from the JAB, and is highly recommended for CSPs pursuing a FedRAMP Agency Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.

+

FedRAMP Ready is highly recommended for CSPs pursuing a FedRAMP Agency Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.

@@ -170,8 +170,6 @@

Achieving FedRAMP Ready

The FedRAMP PMO reviews each Readiness Assessment Report to ensure a CSO’s core security capabilities and operational processes are in place. Once the PMO deems the Readiness Assessment Report acceptable, the CSO is listed as FedRAMP Ready on the FedRAMP Marketplace.

The FedRAMP Ready designation is valid for one year, beginning on the date the CSO is listed as FedRAMP Ready on the Marketplace. If the CSP would like to remain listed on the Marketplace as FedRAMP Ready for longer than one year, the CSP may work with a 3PAO and the FedRAMP PMO to issue a new Readiness Assessment Report to maintain its FedRAMP Ready designation for an additional year.

- -

Any CSO that holds a FedRAMP Agency Authorization that would like to transition to a JAB P-ATO must also achieve FedRAMP Ready.

Holding Multiple Designations

@@ -189,27 +187,14 @@

Holding Multiple Designations

FedRAMP In Process

-

FedRAMP In Process indicates a CSP is actively working towards FedRAMP Authorization through the JAB or Agency Authorization processes. All FedRAMP In Process CSOs are listed on the FedRAMP Marketplace.

+

FedRAMP In Process indicates a CSP is actively working towards FedRAMP Authorization. All FedRAMP In Process CSOs are listed on the FedRAMP Marketplace.

-

JAB Authorization: FedRAMP Connect and FedRAMP In Process

-

The JAB prioritizes up to 12 CSOs each year to work towards FedRAMP Authorization. Each CSP must go through a process called “FedRAMP Connect” wherein they submit a business case that provides detailed product information and government-wide demand. The criteria for business cases and evaluation are described in detail within the JAB Prioritization Criteria and Guidance document.

- -
Prior to being listed as FedRAMP In Process on the Marketplace for a JAB P-ATO, a CSP must:
-
    -
  • Achieve FedRAMP Ready within 60 days of being prioritized by the JAB
    • -
  • Finalize the CSO’s System Security Plan (SSP)
    • -
  • Engage a FedRAMP recognized 3PAO to develop a Security Assessment Plan (SAP), conduct a full security assessment, and produce a Security Assessment Report (SAR)
    • -
  • Upload all required security package materials to MAX.gov (a federal document repository) for systems Authorized at the Moderate baseline, or to their own repository if the system is Authorized at the High baseline
    • -
  • Participate in a formal Kickoff Meeting with the JAB, PMO, and partnering 3PAO
    • -
-

Completion of the Kickoff Meeting will result in a “go” / “no-go” decision point for JAB Authorization efforts. If a CSP achieves a “go” decision, the partnership with the JAB for a P-ATO may proceed, and the CSO will be listed as FedRAMP In Process (In JAB Review) on the FedRAMP Marketplace.

- -

Agency Authorization: FedRAMP In Process Requirements

+

FedRAMP In Process Requirements when Partnering with Federal Agencies

In order to be listed as FedRAMP In Process with a federal agency, a CSP must:

  1. Obtain written confirmation of the agency’s intent to authorize (In Process Request)
    2. @@ -269,7 +254,7 @@
    Additional Requirements
  2. The agency provides proof of a contract award for the use of the CSO
  3. The agency and CSP demonstrate use of the service offering to the PMO Note: An email from the Agency AO stating the instance of the CSO undergoing Authorization is being used by the agency will meet this requirement
  4. The CSO is currently listed as FedRAMP Ready on the Marketplace
    5. -
  5. Completion of a formal FedRAMP facilitated Kickoff Meeting that includes the agency, CSP, FedRAMP PMO, and, if applicable, 3PAO
    6. +
  6. Completion of a formal FedRAMP Kickoff Meeting that includes the agency, CSP, and, if applicable, 3PAO

Kickoff Meetings

The purpose of the Kickoff Meeting is to formally begin the agency authorization process by introducing key team members, reviewing the Cloud Service Offering, and ensuring all stakeholders are aligned on the overall process. Kickoffs are meant to be in service of the CSP and Agency partnership. While a CSP may achieve In Process through other means, the PMO strongly encourages CSPs and agencies to conduct a Kickoff Meeting as outlined in the Agency Authorization Playbook.

@@ -293,7 +278,7 @@

Change in Initial Agency Partner or Authorizing Official

If a CSP changes agency partners during the initial authorization, the requirements listed above must be followed by the new agency. Upon fulfillment of the requirements, the Marketplace listing will be updated to include the new agency and FedRAMP In Process date. If the Agency AO changes while a CSP is listed as In Process, the FedRAMP PMO must be notified within 30 days and must receive a new In Process Request notification from the new AO.

Questions Regarding In Process Timeline

-

The FedRAMP Marketplace displays the date a CSO was listed as In Process with the JAB or an agency. Questions regarding the status or progress toward FedRAMP Authorization for a FedRAMP In Process CSO should be directed to the CSP’s email address listed on their Marketplace page, or info@fedramp.gov.

+

The FedRAMP Marketplace displays the date a CSO was listed as In Process. Questions regarding the status or progress toward FedRAMP Authorization for a FedRAMP In Process CSO should be directed to the CSP’s email address listed on their Marketplace page, or info@fedramp.gov.

Department of Defense Requirements

CSPs pursuing initial authorization with a Department of Defense (DoD) component agency at DoD IL-2 may work towards initial FedRAMP Authorization at the Moderate baseline. The service offering must be configured as a multi-tenant environment that is capable of hosting any federal agency customer. Service offerings that are built for DoD-only use may not achieve initial authorization via FedRAMP, and instead should work with the Defense Information Systems Agency (DISA) for initial authorization. Additionally, CSPs pursuing initial authorization with DoD component agencies at DoD IL-4 or higher must first authorize their CSO via DISA. More information can be found within the Cloud Computing Security Requirements Guide and the DoD Cloud Authorization Services (DCAS) website (CAC required). If you have questions, please reach out to DISA’s hotline mailbox: disa.meade.re.mbx.cloud-team@mail.mil.

@@ -315,44 +300,22 @@

Department of Defense Requirements

FedRAMP Authorized

-

The FedRAMP Authorized designation is provided to CSOs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency. FedRAMP Authorized indicates FedRAMP requirements have been met, and that a CSO’s security package is available for agency reuse.

+

The FedRAMP Authorized designation is provided to CSOs that have successfully completed and maintain a FedRAMP Authorization. FedRAMP Authorized indicates FedRAMP requirements have been met, and that a CSO’s security package is available for agency reuse.

-

JAB Provisional Authorization

-

Cloud services that are FedRAMP In Process with the JAB can shift to FedRAMP Authorized once the following events have occurred:

- -
    -
  1. The JAB reviews the security package for the CSO -
      -
    • CSPs and 3PAOs support JAB Technical Reviewers (TRs) during their review, and - participate in regular meetings with the PMO and JAB TRs to address questions
      • -
    -
    2. -
  2. The CSP submits accurate and complete monthly continuous monitoring (ConMon) deliverables (e.g., scan files, Plan of Action & Milestones [POA&M], and up-to-date inventory) to the JAB throughout the review
    3. -
  3. The CSP and 3PAO remediate system and documentation issues as needed following completion of the JAB review, ensuring all JAB TR comments are appropriately addressed
    4. -
  4. The JAB validates the CSP and 3PAO remediation efforts
    5. -
  5. The JAB issues a letter granting a P-ATO for the CSO to the CSP -
      -
    • The P-ATO letter is signed by the CIOs of the Department of Defense, the - Department of Homeland Security, and the General Services Administration.
      • -
    -
    6. -
-

Once a P-ATO letter is provided to a CSP, the Marketplace listing for the service offering will be updated to reflect its FedRAMP Authorized designation and the date of authorization.

- -

Agency Authorization

+

FedRAMP Authorization when Partnering with Federal Agencies

CSOs that are In Process with an agency can shift to FedRAMP Authorized once the following events have occurred:

  1. An agency grants an ATO for the CSO (FedRAMP does not accept Interim ATOs or ATUs (Authority to Use) to trigger the FedRAMP PMO’s review of a security package. All ATOs submitted to the PMO must have a minimum timeframe of 1 year.)
    2. -
  2. The CSP and 3PAO upload all required security package materials to their secure FedRAMP repository (MAX.gov for packages Authorized below the High baseline, their own repository for packages Authorized at the High baseline)
    3. +
  3. The CSP and 3PAO upload all required security package materials to their secure FedRAMP repository (Connect.gov for packages Authorized below the High baseline, their own repository for packages Authorized at the High baseline)
  4. The FedRAMP PMO reviews the package and releases an Agency Authorization Review Report
      -
    • If necessary, the FedRAMP PMO schedules a review meeting with the agency,CSP, and 3PAO to discuss questions and gain clarity on outstanding items reflected in the Agency Package Review Report. Updates to the package may be requested by the FedRAMP PMO.
      • +
    • If necessary, the FedRAMP PMO schedules a review meeting with the agency, CSP, and 3PAO to discuss questions and gain clarity on outstanding items reflected in the Agency Package Review Report. Updates to the package may be requested by the FedRAMP PMO.
@@ -389,14 +352,12 @@

FedRAMP In Process

  • The authorization timeline for a CSO has exceeded 12 months as In Process.
  • An agency or CSP informs the FedRAMP PMO that they are no longer working with a CSP for FedRAMP Authorization.
    • -
  • The JAB deprioritizes a CSP for a JAB P-ATO.

FedRAMP Authorized

  • A CSO no longer has at least one ATO on file validating the use and continuous monitoring oversight of the service at a federal agency.
  • The ongoing security posture of a CSO, as demonstrated through continuous monitoring, is insufficient for federal government use.
    • -
  • JAB Authorized CSOs do not demonstrate sufficient federal government demand.
From f8b65ba44fbcc90bd521bb0fd45478d01163cf33 Mon Sep 17 00:00:00 2001 From: Pete Waterman Date: Thu, 10 Oct 2024 10:33:01 -0400 Subject: [PATCH 2/2] change "fedramp agency authorization" to "fedramp authorization" (there's no such thing as a FedRAMP Agency Authorization, it's just a FedRAMP Authorization via the agency path) --- _layouts/about-marketplace.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_layouts/about-marketplace.html b/_layouts/about-marketplace.html index ae638854..68846461 100644 --- a/_layouts/about-marketplace.html +++ b/_layouts/about-marketplace.html @@ -154,7 +154,7 @@

Highlights of FedRAMP Ready:

Achieving FedRAMP Ready

-

FedRAMP Ready is highly recommended for CSPs pursuing a FedRAMP Agency Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.

+

FedRAMP Ready is highly recommended for CSPs pursuing a FedRAMP Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.