Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update about-marketplace.html #826

Merged
merged 2 commits into from
Oct 11, 2024
Merged

Update about-marketplace.html #826

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9fa7492
Update about-marketplace.html
rhoesing Oct 9, 2024
f8b65ba
change "fedramp agency authorization" to "fedramp authorization"
pete-gov Oct 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 9 additions & 48 deletions _layouts/about-marketplace.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ <h4 class="margin-top-0">Highlights of FedRAMP Ready:</h4>
<div class="full-row grid-row">
<div class="full-col grid-col-12">
<h4>Achieving FedRAMP Ready</h4>
<p class="padding-bottom-2">FedRAMP Ready is required for CSPs pursuing a Provisional Authority to Operate (P-ATO) from the JAB, and is highly recommended for CSPs pursuing a FedRAMP Agency Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.</p>
<p class="padding-bottom-2">FedRAMP Ready is highly recommended for CSPs pursuing a FedRAMP Authorization. Achieving FedRAMP Ready indicates to the federal government that a CSP has a high likelihood of achieving a FedRAMP Authorization.</p>
</div>
</div>

Expand All @@ -170,8 +170,6 @@ <h4>Achieving FedRAMP Ready</h4>
<p class="padding-bottom-2">The FedRAMP PMO reviews each Readiness Assessment Report to ensure a CSO’s core security capabilities and operational processes are in place. Once the PMO deems the Readiness Assessment Report acceptable, the CSO is listed as FedRAMP Ready on the FedRAMP Marketplace. </p>

<p>The FedRAMP Ready designation is valid for one year, beginning on the date the CSO is listed as FedRAMP Ready on the Marketplace. If the CSP would like to remain listed on the Marketplace as FedRAMP Ready for longer than one year, the CSP may work with a 3PAO and the FedRAMP PMO to issue a new Readiness Assessment Report to maintain its FedRAMP Ready designation for an additional year. </p>

<p>Any CSO that holds a FedRAMP Agency Authorization that would like to transition to a JAB P-ATO must also achieve FedRAMP Ready.</p>

<h4>Holding Multiple Designations</h4>

Expand All @@ -189,27 +187,14 @@ <h4>Holding Multiple Designations</h4>
</div>
<div class="full-col desktop:grid-col-10 desktop:padding-left-4">
<h3 class="margin-top-0">FedRAMP In Process</h3>
<p class="padding-bottom-2">FedRAMP In Process indicates a CSP is actively working towards FedRAMP Authorization through the JAB or Agency Authorization processes. All FedRAMP In Process CSOs are listed on the FedRAMP Marketplace.</p>
<p class="padding-bottom-2">FedRAMP In Process indicates a CSP is actively working towards FedRAMP Authorization. All FedRAMP In Process CSOs are listed on the FedRAMP Marketplace.</p>
</div>
</div>


<div class="grid-row">
<div class="desktop:grid-col-12 margin-bottom-3 desktop:margin-bottom-0">
<h4 class="margin-top-0">JAB Authorization: FedRAMP Connect and FedRAMP In Process</h4>
<p>The JAB prioritizes up to 12 CSOs each year to work towards FedRAMP Authorization. Each CSP must go through a process called “FedRAMP Connect” wherein they submit a business case that provides detailed product information and government-wide demand. The criteria for business cases and evaluation are described in detail within the JAB Prioritization Criteria and Guidance document.</p>

<h5>Prior to being listed as FedRAMP In Process on the Marketplace for a JAB P-ATO, a CSP must:</h5>
<ul>
<li>Achieve FedRAMP Ready within 60 days of being prioritized by the JAB</li>
<li>Finalize the CSO’s System Security Plan (SSP)</li>
<li>Engage a FedRAMP recognized 3PAO to develop a Security Assessment Plan (SAP), conduct a full security assessment, and produce a Security Assessment Report (SAR)</li>
<li>Upload all required security package materials to MAX.gov (a federal document repository) for systems Authorized at the Moderate baseline, or to their own repository if the system is Authorized at the High baseline</li>
<li>Participate in a formal Kickoff Meeting with the JAB, PMO, and partnering 3PAO</li>
</ul>
<p>Completion of the Kickoff Meeting will result in a “go” / “no-go” decision point for JAB Authorization efforts. If a CSP achieves a “go” decision, the partnership with the JAB for a P-ATO may proceed, and the CSO will be listed as FedRAMP In Process (In JAB Review) on the FedRAMP Marketplace. </p>

<h4>Agency Authorization: FedRAMP In Process Requirements</h4>
<h4 class="margin-top-0">FedRAMP In Process Requirements when Partnering with Federal Agencies</h4>
<p>In order to be listed as FedRAMP In Process with a federal agency, a CSP must:</p>
<ol>
<li>Obtain written confirmation of the agency’s intent to authorize (In Process Request)</li>
Expand Down Expand Up @@ -269,7 +254,7 @@ <h5>Additional Requirements</h5>
<li>The agency provides proof of a contract award for the use of the CSO</li>
<li>The agency and CSP demonstrate use of the service offering to the PMO <strong>Note:</strong> An email from the Agency AO stating the instance of the CSO undergoing Authorization is being used by the agency will meet this requirement</li>
<li>The CSO is currently listed as FedRAMP Ready on the Marketplace</li>
<li>Completion of a formal FedRAMP facilitated Kickoff Meeting that includes the agency, CSP, FedRAMP PMO, and, if applicable, 3PAO</li>
<li>Completion of a formal FedRAMP Kickoff Meeting that includes the agency, CSP, and, if applicable, 3PAO</li>
</ol>
<h4>Kickoff Meetings</h4>
<p>The purpose of the Kickoff Meeting is to formally begin the agency authorization process by introducing key team members, reviewing the Cloud Service Offering, and ensuring all stakeholders are aligned on the overall process. Kickoffs are meant to be in service of the CSP and Agency partnership. While a CSP may achieve In Process through other means, the PMO strongly encourages CSPs and agencies to conduct a Kickoff Meeting as outlined in the <a href="#">Agency Authorization Playbook.</a></p>
Expand All @@ -293,7 +278,7 @@ <h4>Change in Initial Agency Partner or Authorizing Official</h4>
<p>If a CSP changes agency partners during the initial authorization, the requirements listed above must be followed by the new agency. Upon fulfillment of the requirements, the Marketplace listing will be updated to include the new agency and FedRAMP In Process date. If the Agency AO changes while a CSP is listed as In Process, <u>the FedRAMP PMO must be notified within 30 days</u> and must receive a new In Process Request notification from the new AO.</p>

<h4>Questions Regarding In Process Timeline</h4>
<p>The FedRAMP Marketplace displays the date a CSO was listed as In Process with the JAB or an agency. Questions regarding the status or progress toward FedRAMP Authorization for a FedRAMP In Process CSO should be directed to the CSP’s email address listed on their Marketplace page, or <a href="mailto:[email protected]">[email protected]</a>.</p>
<p>The FedRAMP Marketplace displays the date a CSO was listed as In Process. Questions regarding the status or progress toward FedRAMP Authorization for a FedRAMP In Process CSO should be directed to the CSP’s email address listed on their Marketplace page, or <a href="mailto:[email protected]">[email protected]</a>.</p>

<h4>Department of Defense Requirements</h4>
<p>CSPs pursuing initial authorization with a Department of Defense (DoD) component agency at DoD IL-2 may work towards initial FedRAMP Authorization at the Moderate baseline. The service offering must be configured as a multi-tenant environment that is capable of hosting any federal agency customer. Service offerings that are built for DoD-only use may not achieve initial authorization via FedRAMP, and instead should work with the Defense Information Systems Agency (DISA) for initial authorization. Additionally, CSPs pursuing initial authorization with DoD component agencies at DoD IL-4 or higher must first authorize their CSO via DISA. More information can be found within the <a href=https://public.cyber.mil/dccs/>Cloud Computing Security Requirements Guide</a> and the <a href=https://storefront.disa.mil/kinetic/disa/service-catalog#/forms/assessments-and-authorizations>DoD Cloud Authorization Services (DCAS)</a> website (CAC required). If you have questions, please reach out to DISA’s hotline mailbox: [email protected]. </p>
Expand All @@ -315,44 +300,22 @@ <h4>Department of Defense Requirements</h4>
</div>
<div class="full-col desktop:grid-col-10 desktop:padding-left-4">
<h3 class="margin-top-0">FedRAMP Authorized</h3>
<p class="padding-bottom-2">The FedRAMP Authorized designation is provided to CSOs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency. FedRAMP Authorized indicates FedRAMP requirements have been met, and that a CSO’s security package is available for agency reuse. </p>
<p class="padding-bottom-2">The FedRAMP Authorized designation is provided to CSOs that have successfully completed and maintain a FedRAMP Authorization. FedRAMP Authorized indicates FedRAMP requirements have been met, and that a CSO’s security package is available for agency reuse. </p>
</div>
</div>


<div class="grid-row">
<div class="desktop:grid-col-12 margin-bottom-3 desktop:margin-bottom-0">
<h4 class="margin-top-0">JAB Provisional Authorization</h4>
<p>Cloud services that are FedRAMP In Process with the JAB can shift to FedRAMP Authorized once the following events have occurred:</p>

<ol>
<li>The JAB reviews the security package for the CSO
<ul>
<li>CSPs and 3PAOs support JAB Technical Reviewers (TRs) during their review, and
participate in regular meetings with the PMO and JAB TRs to address questions </li>
</ul>
</li>
<li>The CSP submits accurate and complete monthly continuous monitoring (ConMon) deliverables (e.g., scan files, Plan of Action & Milestones [POA&M], and up-to-date inventory) to the JAB throughout the review</li>
<li>The CSP and 3PAO remediate system and documentation issues as needed following completion of the JAB review, ensuring all JAB TR comments are appropriately addressed</li>
<li>The JAB validates the CSP and 3PAO remediation efforts</li>
<li>The JAB issues a letter granting a P-ATO for the CSO to the CSP
<ul>
<li>The P-ATO letter is signed by the CIOs of the Department of Defense, the
Department of Homeland Security, and the General Services Administration.</li>
</ul>
</li>
</ol>
<p>Once a P-ATO letter is provided to a CSP, the Marketplace listing for the service offering will be updated to reflect its FedRAMP Authorized designation and the date of authorization. </p>

<h4>Agency Authorization</h4>
<h4 class="margin-top-0">FedRAMP Authorization when Partnering with Federal Agencies</h4>
<p>CSOs that are In Process with an agency can shift to FedRAMP Authorized once the following events have occurred:</p>
<ol>
<li>An agency grants an ATO for the CSO (FedRAMP does not accept Interim ATOs or ATUs (Authority to Use) to trigger the FedRAMP PMO’s review of a security package. All ATOs submitted to the PMO must have a minimum timeframe of 1 year.)</li>
<li>The CSP and 3PAO upload all required security package materials to their secure FedRAMP repository (MAX.gov for packages Authorized below the High baseline, their own repository for packages Authorized at the High baseline)</li>
<li>The CSP and 3PAO upload all required security package materials to their secure FedRAMP repository (Connect.gov for packages Authorized below the High baseline, their own repository for packages Authorized at the High baseline)</li>
<li>The FedRAMP PMO reviews the package and releases an Agency Authorization Review Report

<ul>
<li>If necessary, the FedRAMP PMO schedules a review meeting with the agency,CSP, and 3PAO to discuss questions and gain clarity on outstanding items reflected in the Agency Package Review Report. Updates to the package may be requested by the FedRAMP PMO. </li>
<li>If necessary, the FedRAMP PMO schedules a review meeting with the agency, CSP, and 3PAO to discuss questions and gain clarity on outstanding items reflected in the Agency Package Review Report. Updates to the package may be requested by the FedRAMP PMO. </li>
</ul>
</li>
</ol>
Expand Down Expand Up @@ -389,14 +352,12 @@ <h4>FedRAMP In Process</h4>
<ul>
<li>The authorization timeline for a CSO has exceeded 12 months as In Process.</li>
<li>An agency or CSP informs the FedRAMP PMO that they are no longer working with a CSP for FedRAMP Authorization.</li>
<li>The JAB deprioritizes a CSP for a JAB P-ATO.</li>
</ul>

<h4>FedRAMP Authorized</h4>
<ul>
<li>A CSO no longer has at least one ATO on file validating the use and continuous monitoring oversight of the service at a federal agency.</li>
<li>The ongoing security posture of a CSO, as demonstrated through continuous monitoring, is insufficient for federal government use.</li>
<li>JAB Authorized CSOs do not demonstrate sufficient federal government demand.</li>
</ul>
</div>
</div>
Expand Down