Can a CSP simply go from an agency ATO to a JAB P-ATO without going through the JAB Authorization effort?

Expert centerCategory: CybersecurityCan a CSP simply go from an agency ATO to a JAB P-ATO without going through the JAB Authorization effort?
Renjisha Staff asked 8 months ago
1 Answers
Benson Staff answered 8 months ago

A CSP interested in transitioning their Agency ATO to a JAB P-ATO must go through the JAB P-ATO process. Each Agency can accept varying levels of risk, per FISMA, when granting an ATO. The JAB works in a similar fashion, in that they must review the entire authorization package to understand associated risk with the system and make a decision whether or not to issue a JAB P-ATO. The JAB P-ATO provides the agency community with the assurance that the JAB entities (DoD, DHS, and GSA CIOs) reviewed the package and deemed the risk to be acceptable for agencies to issue their own ATOs. The JAB cannot accept risk on behalf of any agency which is why the JAB authorization is titled a “Provisional Authorization.”  If an agency decides to use a system with a Provisional Authorization, the agency will need to issue its own ATO letter to indicate that they accept the risk associated with using the system. We ask that these ATOs are sent to info@fedramp.gov for record-keeping and incident response notifications. 

A JAB Provisional Authorization may not necessarily be optimal for every system and every CSP. In general, the JAB grants Provisional Authorizations for those systems leveraged government wide. FedRAMP was designed with the objective to authorize a system once and reuse that authorization many times. If a CSP only has one or two agency customers showing interest in using their system, it is just as efficient for the CSP to obtain an authorization directly through the one agency of interest.