A Farewell to the JAB

The FedRAMP JAB is gone. What are the next steps, and what does it mean for you?

The Federal Risk and Authorization Management Program (FedRAMP) has been a cornerstone for ensuring the security of cloud services used by federal agencies. Recently, significant changes to the program - specifically the sunset of the Joint Authorization Board (JAB) - have sparked discussions across the cloud computing landscape.

“What was the JAB?”

The JAB was a governing body for FedRAMP, made up of representatives from the General Services Administration (GSA), the Department of Defense (DoD), and the Department of Homeland Security (DHS). Historically, Cloud Service Providers seeking a FedRAMP authorization could obtain one through either an Agency authorization or a JAB authorization, which would be reflected on their product’s page in the FedRAMP Marketplace.

“What changed?”

The JAB is no more - the governance role previously held by the JAB is now held by the new FedRAMP Board, and there is no longer a JAB authorization designation anymore or a path for JAB authorizations. All authorized Cloud Services will simply be designated as “FedRAMP Authorized” in the Marketplace.

“What does this mean for CSPs that were previously JAB Authorized?”

FedRAMP has indicated that Continuous Monitoring activities will be conducted by one of the former JAB agencies or FedRAMP itself during this transition period. In the meantime, FedRAMP is working to help identify new agency sponsors for all of the JAB Authorized CSPs. FedRAMP PMO’s goal is to transition all Cloud Service Offerings by October 31, 2024.

In an FAQ session held on August 14th, the FedRAMP PMO announced that they are working on creating new templates for multi-agency Collaborative Continuous Montorint (ConMon), and will be updating all existing FedRAMP documentation and guidance to remove JAB-specific requirements and references. One of the most noteworthy changes is that FedRAMP will no longer require JAB-to-JAB external service restrictions. Instead, these requirements will be up to the sponsoring agency. Since no new Cloud offerings will be JAB authorized, this poses a unique challenge to navigate with Agency sponsors.

“What steps should I be taking now?”

If you are a CSP that was previously JAB authorized, the FedRAMP PMO should already be working directly with you to identify a new sponsor. If they haven’t reached out, you should contact them immediately to ensure you are set up for success with the October transition date looming. In the meantime, CSPs should engage with agencies using their Cloud Service Offering to see if they would be willing to assume the sponsor responsibility as well. If you aren’t already, you should also be participating in continuous Collaborative ConMon meetings, where questions of sponsorship can also be discussed.

Since your organization may be having trouble navigating the transition from JAB to Agency authorization, or may need support with the Collaborative ConMon and other FedRAMP program requirements, then let’s talk - Hive Systems can help! Reach out to us today to learn more about our FedRAMP Readiness and Operations services, where our team of experts can support you through this critical transition.