diff --git a/_data/navbar.yml b/_data/navbar.yml index d57481d8f..1868e3c24 100755 --- a/_data/navbar.yml +++ b/_data/navbar.yml @@ -13,6 +13,11 @@ assigned: permalink: /updates/changelog/ show_in_menu: true show_in_footer: false + - text: JAB Transition + href: updates/jab-transition.md + permalink: /updates/jab/ + show_in_menu: true + show_in_footer: false - text: Policy & Guidance Changes href: updates/policy-and-guidance.md permalink: /updates/policy-and-guidance/ diff --git a/pages/updates/changelog.md b/pages/updates/changelog.md index b2f2c64db..9de33a5f8 100644 --- a/pages/updates/changelog.md +++ b/pages/updates/changelog.md @@ -11,6 +11,9 @@ summary: ## December, 2024 (FY25 Q1) +- 2024-12-13: Added a [Joint Authorization Board(JAB) Transition](/updates/jab) + page to show progress on implementation of M-24-15 with the rescission of the + JAB. - 2024-12-10: Updated content on [Governance page](/governance) to accurately explain various FedRAMP stakeholders after changes in M-24-15. - 2024-12-06: Updated content on [the FedRAMP Platform](/updates/platform) to diff --git a/pages/updates/jab-transition.md b/pages/updates/jab-transition.md index e69de29bb..af2b1d978 100644 --- a/pages/updates/jab-transition.md +++ b/pages/updates/jab-transition.md @@ -0,0 +1,202 @@ +--- +layout: base-markdown +title: Joint Authorization Board (JAB) Transition +tab-title: JAB Transition +permalink: /updates/jab/ +redirect_from: /jab +summary: Joint Authorization Board (JAB) Transition +--- + +In 2022 Congress passed the +[FedRAMP Authorization Act](https://www.congress.gov/117/bills/hr7776/BILLS-117hr7776enr.pdf#page=1055) +which required the establishment of a FedRAMP Board, replacing the JAB, to +oversee the overall health and performance of FedRAMP and work within the +federal community to expand the authorization capacity of the FedRAMP ecosystem. +The Act also required the Office of Management and Budget (OMB) to +[issue guidance](https://www.whitehouse.gov/wp-content/uploads/2024/07/M-24-15-Modernizing-the-Federal-Risk-and-Authorization-Management-Program.pdf) +to accelerate the adoption of secure cloud products and services across the +Federal government. Together, these began a series of shifts that are altering +the way FedRAMP operates as a program. + +Historically, the JAB, consisting of the Chief Information Officers of the +Department of Defense (DOD), the Department of Homeland Security (DHS), and the +General Services Administration (GSA), along with their technical +representatives, approved cloud service offerings for FedRAMP authorization and +monitored the security of offerings it authorized. + +Today, the JAB is no longer monitoring cloud services as a unified entity or +authorizing new cloud services. FedRAMP is providing the coordination for both +the systems previously prioritized for potential JAB Authorization and the +previously Authorized JAB Systems. + +Transparency is important as work continues with the JAB transition. The overall +plan is documented in more detail below. Progress will be updated regularly. + +## Systems Previously Prioritized for Potential JAB Authorization + +FedRAMP is committed to ensuring the previously prioritized systems have a +pathway to authorization. Thirteen cloud service offerings (CSO) were +prioritized for review by the JAB. Of the 13 CSOs in the JAB queue, ten are +continuing to pursue authorization. All of these systems have: + +- completed FedRAMP Readiness assessments that align with previous JAB + standards; +- been assessed by FedRAMP-recognized 3PAOs; and +- a complete security package ready to review for authorization. + +First, FedRAMP is working with these CSOs to find partner federal agencies. In +addition, FedRAMP is developing a new program authorization path and the +capacity to perform program authorizations. Since our +[August blog post](https://www.fedramp.gov/2024-08-12-moving-to-one-fedramp-authorization-an-update-on-the-jab-transition/), +FedRAMP has worked with one CSO who received authorization and has supported +multiple in obtaining agency partners. + +## Previously Authorized JAB Systems + +FedRAMP is taking a two-phased approach to transition oversight for the 58 +formerly JAB Authorized systems to the DOD, DHS, GSA, FedRAMP or agency +customers: + +- **Phase I:** + + - Ia: Identify new designated lead agencies from DOD, DHS, GSA, or FedRAMP. + (Complete) + - Ib: 30 day transition period for each system. (In Process) + +- **Phase II:** + - IIa: Work with agency customers to ensure enrollment in continuous + monitoring activities. + - IIb: Re-assign designated leads for CSOs initially designated to FedRAMP to + agency customers + +Continuous monitoring responsibilities include reviewing monthly POA&M, +Inventory and Vulnerability Scan submissions, reviewing Significant Change +Requests, and reviewing and approving Annual Assessments. FedRAMP will continue +to work with these formerly JAB Authorized CSPs to create the one-page system +overview document that all these systems previously delivered under the JAB. + +### Phase I + +Phase I of the transition began in late October of 2024 and will run through +December 2024 lasting a minimum of 30 days for each CSO. During this phase, we +assigned designated lead agencies from one of the former JAB agencies or FedRAMP +that aligns with the agency currently using the system while transitioning off +the former JAB reviewers. + +A +[designation letter](/assets/resources/templates/FedRAMP-JAB-Transition-Designation-Letter-Template.pdf) +for each system enumerates the designated lead’s responsibilities and will be +uploaded to each system’s continuous monitoring folder in their respective +secure repository. FedRAMP will continue to process one-page continuous +monitoring summaries for each of these systems for up to one year from the +transition date. Once a system transitions, the former P-ATO letters will +terminate. A comprehensive list of the formerly 58 JAB authorized systems can be +found below. + +### Phase II + +After the initial 30-day transition – and with FedRAMP’s support – designated +lead agencies will set up multi-agency continuous monitoring. Customer agencies +are encouraged to join continuous monitoring meetings with the CSPs to allow for +more transparency and a deeper understanding of the continuous monitoring +activities. If you are an agency using, or interested in using, one of these +systems and would like to be involved in continuous monitoring activities, +please contact the email address on the signed designation letter for that CSP. + +For systems transitioned to DOD, DHS, and GSA, the newly designated lead agency +will be the primary on continuous monitoring activities going forward. FedRAMP +will validate that designated lead agencies and cloud providers have set up +collaborative continuous monitoring, ensuring agency visibility into the +security posture of the system, and a central forum for addressing questions for +the cloud provider. + +For systems that were initially transitioned to FedRAMP, we will be contacting +agency customers to identify a new designated lead. FedRAMP cannot support +continuous monitoring for all of these systems, so agency participation will be +required to ensure the continuous monitoring and oversight of these systems +going forward. + +## List of 58 Previously JAB Authorized Systems + +_Note: Designated Leads may change over time and be updated as changes are +made._ + +| FedRAMP ID | CSP | CSO | Designated Lead | +| ------------------------------------------------------------------------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | +| [FR1703752011](https://marketplace.fedramp.gov/products/FR1703752011) | Axon | US Axon FedCloud - High | DHS | +| [F1301251880](https://marketplace.fedramp.gov/products/F1301251880) | Economic Systems | Economic Systems Federal Human Resources Navigator | DHS | +| [F1209051525](https://marketplace.fedramp.gov/products/F1209051525) | Microsoft | Azure Commercial Cloud | DHS | +| [F1603087869](https://marketplace.fedramp.gov/products/F1603087869) | Microsoft | Azure Government (includes Dynamics 365) | DHS | +| [F1305072116](https://marketplace.fedramp.gov/products/F1305072116) | ServiceNow | ServiceNow Government Community Cloud | DHS | +| [FR2227062482](https://marketplace.fedramp.gov/products/FR2227062482) | Zscaler, Inc. | Zscaler Internet Access - Government (Secure Web Gateway - vTIC) - High | DHS | +| [FR1719759604](https://marketplace.fedramp.gov/products/FR1719759604) | Zscaler, Inc. | Zscaler Private Access - Government (Zero Trust Networking - VPN Replacement) | DHS | +| [F1603047866](https://marketplace.fedramp.gov/products/F1603047866) | Amazon | AWS GovCloud | DOD | +| [AGENCYAMAZONEW](https://marketplace.fedramp.gov/products/AGENCYAMAZONEW) | Amazon | AWS US East/West | DOD | +| [F1603157879](https://marketplace.fedramp.gov/products/F1603157879) | Apptio an IBM company | Apptio for Technology Business Management and Cloud Financial Management (TBM) | DOD | +| [FR1722160191](https://marketplace.fedramp.gov/products/FR1722160191) | CORAS | CORAS Federal | DOD | +| [FR1802451335](https://marketplace.fedramp.gov/products/FR1802451335) | Human Resources Technologies, Inc. (HRTec) | Federal High Impact Virtualized Environment (FedHIVE) | DOD | +| [F1206081363](https://marketplace.fedramp.gov/products/F1206081363) | IBM | SmartCloud for Government (Suspended) | DOD | +| [FR1900048743](https://marketplace.fedramp.gov/products/FR1900048743) | Oracle | Oracle Cloud Infrastructure-Government Cloud | DOD | +| [F1209041518](https://marketplace.fedramp.gov/products/F1209041518) | Oracle | Oracle Federal Managed Cloud Services | DOD | +| [F1508277234](https://marketplace.fedramp.gov/products/F1508277234) | Oracle | Government Cloud - Common Controls | DOD | +| [F1206061351](https://marketplace.fedramp.gov/products/F1206061351) | Oracle | Oracle Service Cloud (OSvC) | DOD | +| [F1510137547](https://marketplace.fedramp.gov/products/F1510137547) | Rackspace Government Solutions | Rackspace Government Cloud | DOD | +| [FR1719841002](https://marketplace.fedramp.gov/products/FR1719841002) | SAP National Security Services Inc. (SAP NS2) | SAP NS2 Cloud Intelligent Enterprise | DOD | +| [FR2230252267](https://marketplace.fedramp.gov/products/FR2230252267) | Slack Technologies | GovSlack | DOD | +| [FR1730866868](https://marketplace.fedramp.gov/products/FR1730866868) | Smartsheet | Smartsheet Gov | DOD | +| [FR1901136437](https://marketplace.fedramp.gov/products/FR1901136437) | Synergetics Incorporated | Open Federal Logistics Information System (OpenFLIS) (Synergetics) | DOD | +| [FR1907847653](https://marketplace.fedramp.gov/products/FR1907847653) | TeleTech (TTEC) Services Corporation | Humanify Enterprise - Government (Humanify Enterprise - G) | DOD | +| [FR1916163735](https://marketplace.fedramp.gov/products/FR1916163735) | VMware, Inc. | VMware Government Services (VGS) by Broadcom | DOD | +| [FR1825941347](https://marketplace.fedramp.gov/products/FR1825941347) | Zoom Video Communications, LLC | Zoom for Government | DOD | +| [F1607067912](https://marketplace.fedramp.gov/products/F1607067912) | CG-TTS | [Cloud.Gov](http://Cloud.Gov) | FedRAMP | +| [FR1704369518](https://marketplace.fedramp.gov/products/FR1704369518) | Accenture Federal Services | Accenture Insights Platform (AIP) For Government | FedRAMP | +| [FR2104942200](https://marketplace.fedramp.gov/products/FR2104942200) | Acuant, Inc. | Connect, Ozone, & Facial Recognition System (COFRS) | FedRAMP | +| [F1509037236](https://marketplace.fedramp.gov/products/F1509037236) | Adobe | Adobe Connect Managed Services (ACMS-GC) | FedRAMP | +| [F1509037239](https://marketplace.fedramp.gov/products/F1509037239) | Adobe | Adobe Experience Manager Managed Services (AEMMS-GC) | FedRAMP | +| [F1206061353](https://marketplace.fedramp.gov/products/F1206061353) | Akamai | Content Delivery Services | FedRAMP | +| [F1206061350](https://marketplace.fedramp.gov/products/F1206061350) | CGI Federal | CGI Federal IaaS Cloud | FedRAMP | +| [FR2022243058](https://marketplace.fedramp.gov/products/FR2022243058) | CGI Federal | Momentum Enterprise Suite | FedRAMP | +| [FR2113748549](https://marketplace.fedramp.gov/products/FR2113748549) | Cisco Systems Inc. | WebEx Contact Center Enterprise for Government (WxCCE-G) | FedRAMP | +| [FR1819254092](https://marketplace.fedramp.gov/products/FR1819254092) | Citrix | Citrix for Government | FedRAMP | +| [FR2128562231](https://marketplace.fedramp.gov/products/FR2128562231) | Collabware | Collabspace | FedRAMP | +| [FR1815734543](https://marketplace.fedramp.gov/products/FR1815734543) | Gordian | Gordian Federal Cloud powered by RSMeans Data | FedRAMP | +| [F1311252652](https://marketplace.fedramp.gov/products/F1311252652) | Granicus | Granicus GovDelivery Communications Cloud | FedRAMP | +| [F1211011660](https://marketplace.fedramp.gov/products/F1211011660) | IBM | IBM Cloud for Government | FedRAMP | +| [F1208031461](https://marketplace.fedramp.gov/products/F1208031461) | IBM | MaaS360 Enterprise Mobility Management | FedRAMP | +| [FR1710033970](https://marketplace.fedramp.gov/products/FR1710033970) | Infor | Infor Government Solutions (IGS) Software as a Service | FedRAMP | +| [F1303221956](https://marketplace.fedramp.gov/products/F1303221956) | IT-CNP | GovDataHosting Cloud Platform | FedRAMP | +| [FR1927682057](https://marketplace.fedramp.gov/products/FR1927682057) | M.C. Dean, Inc. | InfraLink | FedRAMP | +| [F1303191948](https://marketplace.fedramp.gov/products/F1303191948) | MAXIMUS Inc. | MAXIMUS Cloud | FedRAMP | +| [FR1711262842](https://marketplace.fedramp.gov/products/FR1711262842) | Medallia, Inc. | Medallia GovCloud | FedRAMP | +| [FR2206159758](https://marketplace.fedramp.gov/products/FR2206159758) | Merlin International | Constellation GovCloud (CGC) | FedRAMP | +| [F1311222650](https://marketplace.fedramp.gov/products/F1311222650) | MIS Sciences Corporation | MIS GovPoint Cloud Services | FedRAMP | +| [F1309252456](https://marketplace.fedramp.gov/products/F1309252456) | Rectitude 369 | Rectitude 369 Government Cloud (Formerly GDT) | FedRAMP | +| [FR1915765924](https://marketplace.fedramp.gov/products/FR1915765924) | Repario | Repario Government Solutions (RGS) | FedRAMP | +| [FR2102652499](https://marketplace.fedramp.gov/products/FR2102652499) | RSA Security LLC | RSA(R) ID Plus for Government | FedRAMP | +| [F1506096710](https://marketplace.fedramp.gov/products/F1506096710) | Skyhigh Security | Skyhigh Security Service Edge (SSE) Government Cloud Services (Cloud Access Security Broker (CASB) & Secure Web Gateway (SWG) for Cloud) (Formerly McAfee MVISION) | FedRAMP | +| [F1301091856](https://marketplace.fedramp.gov/products/F1301091856) | Virtustream | Federal Cloud (VFC) | FedRAMP | +| [FR1730334049](https://marketplace.fedramp.gov/products/FR1730334049) | Xerox Corporation | Xerox Managed Print Services for US Government | FedRAMP | +| [FR1805751477](https://marketplace.fedramp.gov/products/FR1805751477) | Google | Google Services (Google Cloud Platform Products and underlying Infrastructure) | GSA | +| [F1206081364](https://marketplace.fedramp.gov/products/F1206081364) | Google | Google Workspace | GSA | +| [F1603297883](https://marketplace.fedramp.gov/products/F1603297883) | Lookout, Inc. | Lookout Security Platform | GSA | +| [F1301101857](https://marketplace.fedramp.gov/products/F1301101857) | OpenText | Fortify on Demand | GSA | +| [FR2003061248](https://marketplace.fedramp.gov/products/FR2003061248) | Salesforce | Salesforce Government Cloud Plus | GSA | + +## List of 10 Remaining Systems Previously Prioritized by the JAB for potential authorization + +_Note: Check the Marketplace link for the latest status on each of the systems +below._ + +| FedRAMP ID | CSP | CSO | +| ----------------------------------------------------------------------- | -------------------- | ------------------------------------------------- | +| [FR2317253567](https://marketplace.fedramp.gov/products/FR2317253567) | Palo Alto | GCS-HIGH | +| [FR2300457485](https://marketplace.fedramp.gov/products/FR2300457485) | Project Hosts | GSS One - AWS | +| [FR2231052341](https://marketplace.fedramp.gov/products/FR2231052341) | Qualys | Qualys Government Platform | +| [FR2307441316](https://marketplace.fedramp.gov/products/FR2307441316) | Absolute | Absolute Secure Endpoint Product Suite | +| [FR2124663764](https://marketplace.fedramp.gov/products/FR2124663764) | KBR | KBR Vaault | +| [FR1807853629A](https://marketplace.fedramp.gov/products/FR1807853629A) | Crowdstrike | CrowdStrike Falcon Platform for Government - High | +| [FR2405153785](https://marketplace.fedramp.gov/products/FR2405153785) | Google | Google Cloud VMware Engine (GCVE) | +| [FR2214150164](https://marketplace.fedramp.gov/products/FR2214150164) | Quzara | Quzara Cybertorch (SOC-as-a-Service) | +| [FR2335047392](https://marketplace.fedramp.gov/products/FR2335047392) | 3rd Eye Technologies | Mystic Message Archival | +| [FR2403936773](https://marketplace.fedramp.gov/products/FR2403936773) | Telos | Xacta SaaS | +