In 2022 Congress passed the FedRAMP Authorization Act which required the establishment of a FedRAMP Board, replacing the JAB, to oversee the overall health and performance of FedRAMP and work within the federal community to expand the authorization capacity of the FedRAMP ecosystem. The Act also required the Office of Management and Budget (OMB) to issue guidance to accelerate the adoption of secure cloud products and services across the Federal government. Together, these began a series of shifts that are altering the way FedRAMP operates as a program.
Historically, the JAB, consisting of the Chief Information Officers of the Department of Defense (DOD), the Department of Homeland Security (DHS), and the General Services Administration (GSA), along with their technical representatives, approved cloud service offerings for FedRAMP authorization and monitored the security of offerings it authorized.
Today, the JAB is no longer monitoring cloud services as a unified entity or authorizing new cloud services. FedRAMP is providing the coordination for both the systems previously prioritized for potential JAB Authorization and the previously Authorized JAB Systems.
Transparency is important as work continues with the JAB transition. The overall plan is documented in more detail below. Progress will be updated regularly.
Systems Previously Prioritized for Potential JAB Authorization
FedRAMP is committed to ensuring the previously prioritized systems have a pathway to authorization. Thirteen cloud service offerings (CSO) were prioritized for review by the JAB. Of the 13 CSOs in the JAB queue, ten are continuing to pursue authorization. All of these systems have:
- completed FedRAMP Readiness assessments that align with previous JAB standards;
- been assessed by FedRAMP-recognized 3PAOs; and
- a complete security package ready to review for authorization.
First, FedRAMP is working with these CSOs to find partner federal agencies. In addition, FedRAMP is developing a new program authorization path and the capacity to perform program authorizations. Since our August blog post, FedRAMP has worked with one CSO who received authorization and has supported multiple in obtaining agency partners.
Previously Authorized JAB Systems
FedRAMP is taking a two-phased approach to transition oversight for the 58 formerly JAB Authorized systems to the DOD, DHS, GSA, FedRAMP or agency customers:
-
Phase I:
- Ia: Identify new designated lead agencies from DOD, DHS, GSA, or FedRAMP. (Complete)
- Ib: 30 day transition period for each system. (In Process)
-
Phase II:
- IIa: Work with agency customers to ensure enrollment in continuous monitoring activities.
- IIb: Re-assign designated leads for CSOs initially designated to FedRAMP to agency customers
Continuous monitoring responsibilities include reviewing monthly POA&M, Inventory and Vulnerability Scan submissions, reviewing Significant Change Requests, and reviewing and approving Annual Assessments. FedRAMP will continue to work with these formerly JAB Authorized CSPs to create the one-page system overview document that all these systems previously delivered under the JAB.
Phase I
Phase I of the transition began in late October of 2024 and will run through December 2024 lasting a minimum of 30 days for each CSO. During this phase, we assigned designated lead agencies from one of the former JAB agencies or FedRAMP that aligns with the agency currently using the system while transitioning off the former JAB reviewers.
A designation letter for each system enumerates the designated lead’s responsibilities and will be uploaded to each system’s continuous monitoring folder in their respective secure repository. FedRAMP will continue to process one-page continuous monitoring summaries for each of these systems for up to one year from the transition date. Once a system transitions, the former P-ATO letters will terminate. A comprehensive list of the formerly 58 JAB authorized systems can be found below.
Phase II
After the initial 30-day transition – and with FedRAMP’s support – designated lead agencies will set up multi-agency continuous monitoring. Customer agencies are encouraged to join continuous monitoring meetings with the CSPs to allow for more transparency and a deeper understanding of the continuous monitoring activities. If you are an agency using, or interested in using, one of these systems and would like to be involved in continuous monitoring activities, please contact the email address on the signed designation letter for that CSP.
For systems transitioned to DOD, DHS, and GSA, the newly designated lead agency will be the primary on continuous monitoring activities going forward. FedRAMP will validate that designated lead agencies and cloud providers have set up collaborative continuous monitoring, ensuring agency visibility into the security posture of the system, and a central forum for addressing questions for the cloud provider.
For systems that were initially transitioned to FedRAMP, we will be contacting agency customers to identify a new designated lead. FedRAMP cannot support continuous monitoring for all of these systems, so agency participation will be required to ensure the continuous monitoring and oversight of these systems going forward.
JAB Transition FAQs are located in the FedRAMP Help Center. If you have questions not addressed in any of these FAQs, please contact info@fedramp.gov for more information.
List of 58 Previously JAB Authorized Systems
Note: Designated Leads may change over time and be updated as changes are made.
| FedRAMP ID | CSP | CSO | Designated Lead |
|---|---|---|---|
| FR1703752011 | Axon | US Axon FedCloud - High | DHS |
| F1301251880 | Economic Systems | Economic Systems Federal Human Resources Navigator | DHS |
| F1209051525 | Microsoft | Azure Commercial Cloud | DHS |
| F1603087869 | Microsoft | Azure Government (includes Dynamics 365) | DHS |
| F1305072116 | ServiceNow | ServiceNow Government Community Cloud | DHS |
| FR2227062482 | Zscaler, Inc. | Zscaler Internet Access - Government (Secure Web Gateway - vTIC) - High | DHS |
| FR1719759604 | Zscaler, Inc. | Zscaler Private Access - Government (Zero Trust Networking - VPN Replacement) | DHS |
| F1603047866 | Amazon | AWS GovCloud | DOD |
| AGENCYAMAZONEW | Amazon | AWS US East/West | DOD |
| F1603157879 | Apptio an IBM company | Apptio for Technology Business Management and Cloud Financial Management (TBM) | DOD |
| FR1722160191 | CORAS | CORAS Federal | DOD |
| FR1802451335 | Human Resources Technologies, Inc. (HRTec) | Federal High Impact Virtualized Environment (FedHIVE) | DOD |
| F1206081363 | IBM | SmartCloud for Government (Suspended) | DOD |
| FR1900048743 | Oracle | Oracle Cloud Infrastructure-Government Cloud | DOD |
| F1209041518 | Oracle | Oracle Federal Managed Cloud Services | DOD |
| F1508277234 | Oracle | Government Cloud - Common Controls | DOD |
| F1206061351 | Oracle | Oracle Service Cloud (OSvC) | DOD |
| F1510137547 | Rackspace Government Solutions | Rackspace Government Cloud | DOD |
| FR1719841002 | SAP National Security Services Inc. (SAP NS2) | SAP NS2 Cloud Intelligent Enterprise | DOD |
| FR2230252267 | Slack Technologies | GovSlack | DOD |
| FR1730866868 | Smartsheet | Smartsheet Gov | DOD |
| FR1901136437 | Synergetics Incorporated | Open Federal Logistics Information System (OpenFLIS) (Synergetics) | DOD |
| FR1907847653 | TeleTech (TTEC) Services Corporation | Humanify Enterprise - Government (Humanify Enterprise - G) | DOD |
| FR1916163735 | VMware, Inc. | VMware Government Services (VGS) by Broadcom | DOD |
| FR1825941347 | Zoom Video Communications, LLC | Zoom for Government | DOD |
| F1607067912 | CG-TTS | Cloud.Gov | FedRAMP |
| FR1704369518 | Accenture Federal Services | Accenture Insights Platform (AIP) For Government | FedRAMP |
| FR2104942200 | Acuant, Inc. | Connect, Ozone, & Facial Recognition System (COFRS) | FedRAMP |
| F1509037236 | Adobe | Adobe Connect Managed Services (ACMS-GC) | FedRAMP |
| F1509037239 | Adobe | Adobe Experience Manager Managed Services (AEMMS-GC) | FedRAMP |
| F1206061353 | Akamai | Content Delivery Services | FedRAMP |
| F1206061350 | CGI Federal | CGI Federal IaaS Cloud | FedRAMP |
| FR2022243058 | CGI Federal | Momentum Enterprise Suite | FedRAMP |
| FR2113748549 | Cisco Systems Inc. | WebEx Contact Center Enterprise for Government (WxCCE-G) | FedRAMP |
| FR1819254092 | Citrix | Citrix for Government | FedRAMP |
| FR2128562231 | Collabware | Collabspace | FedRAMP |
| FR1815734543 | Gordian | Gordian Federal Cloud powered by RSMeans Data | FedRAMP |
| F1311252652 | Granicus | Granicus GovDelivery Communications Cloud | FedRAMP |
| F1211011660 | IBM | IBM Cloud for Government | FedRAMP |
| F1208031461 | IBM | MaaS360 Enterprise Mobility Management | FedRAMP |
| FR1710033970 | Infor | Infor Government Solutions (IGS) Software as a Service | FedRAMP |
| F1303221956 | IT-CNP | GovDataHosting Cloud Platform | FedRAMP |
| FR1927682057 | M.C. Dean, Inc. | InfraLink | FedRAMP |
| F1303191948 | MAXIMUS Inc. | MAXIMUS Cloud | FedRAMP |
| FR1711262842 | Medallia, Inc. | Medallia GovCloud | FedRAMP |
| FR2206159758 | Merlin International | Constellation GovCloud (CGC) | FedRAMP |
| F1311222650 | MIS Sciences Corporation | MIS GovPoint Cloud Services | FedRAMP |
| F1309252456 | Rectitude 369 | Rectitude 369 Government Cloud (Formerly GDT) | FedRAMP |
| FR1915765924 | Repario | Repario Government Solutions (RGS) | FedRAMP |
| FR2102652499 | RSA Security LLC | RSA(R) ID Plus for Government | FedRAMP |
| F1506096710 | Skyhigh Security | Skyhigh Security Service Edge (SSE) Government Cloud Services (Cloud Access Security Broker (CASB) & Secure Web Gateway (SWG) for Cloud) (Formerly McAfee MVISION) | FedRAMP |
| F1301091856 | Virtustream | Federal Cloud (VFC) | FedRAMP |
| FR1730334049 | Xerox Corporation | Xerox Managed Print Services for US Government | FedRAMP |
| FR1805751477 | Google Services (Google Cloud Platform Products and underlying Infrastructure) | GSA | |
| F1206081364 | Google Workspace | GSA | |
| F1603297883 | Lookout, Inc. | Lookout Security Platform | GSA |
| F1301101857 | OpenText | Fortify on Demand | GSA |
| FR2003061248 | Salesforce | Salesforce Government Cloud Plus | GSA |
List of 10 Remaining Systems Previously Prioritized by the JAB for potential authorization
Note: Check the Marketplace link for the latest status on each of the systems below.
| FedRAMP ID | CSP | CSO |
|---|---|---|
| FR2317253567 | Palo Alto | GCS-HIGH |
| FR2300457485 | Project Hosts | GSS One - AWS |
| FR2231052341 | Qualys | Qualys Government Platform |
| FR2307441316 | Absolute | Absolute Secure Endpoint Product Suite |
| FR2124663764 | KBR | KBR Vaault |
| FR1807853629A | Crowdstrike | CrowdStrike Falcon Platform for Government - High |
| FR2405153785 | Google Cloud VMware Engine (GCVE) | |
| FR2214150164 | Quzara | Quzara Cybertorch (SOC-as-a-Service) |
| FR2335047392 | 3rd Eye Technologies | Mystic Message Archival |
| FR2403936773 | Telos | Xacta SaaS |
