The General Services Administration’s FedRAMP program announced that it extended the deadline for its Connect Business Cases to May 21, 2021.
FedRAMP Connect serves as the first step for cloud service providers (CSPs) pursuing a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB). In the blog post updating the deadline, FedRAMP asks all interested parties to fully review the JAB Prioritization Guidance and Criteria, which were last updated in March 2020. In the guidance, FedRAMP says that due to funding, the Program Management Office (PMO) is only able to prioritize 12 Cloud Service Offerings (CSOs) per year.
The guidance further explains that FedRAMP uses the business case process to ensure it can select the “most impactful” CSOs for the JAB authorization process. During the review process, FedRAMP works with JAB, the Office of Management and Budget, and the Federal CIO Council to “fairly and consistently select CSOs to prioritize for JAB P-ATOs.”
CSPs are asked to submit a business case that consists of a PDF form and Excel spreadsheet gathering demand information for their CSO. FedRAMP said that this business case submission “provides a normalized view for comparison of CSOs and allows for consistent and fair reviews.”
In the guidance, FedRAMP notes that although FedRAMP Ready is not required to submit a business case, it is a heavily weighted criterion in the prioritization process. If prioritized via the business case process, selected CSOs must achieve the FedRAMP Ready designation within 60 days of being selected and complete and submit the security authorization package, to include the full Third Party Assessment Organization assessment, to the FedRAMP PMO within 90 days.
In addition to FedRAMP authorization status, FedRAMP says that demand is the primary criteria for prioritization. CSPs are required to provide verification of current or potential demand from the equivalent of six customers. FedRAMP said there are multiple ways for a CSP to prove demand for their CSO and noted that CSPs are not expected to meet all demand categories. The demand categories are intended to ensure that the CSPs’ product will be broadly used by a critical mass of Federal agencies.
The five demand categories are current agency use, potential agency use, OMB policy/priorities/shared services, and agency-defined demand.
While CSPs are required to put together the business case, FedRAMP does say, “If you are an agency customer that would like to see a CSP prioritized to work with the JAB, please share the above information with your service provider.”