Red Hat OpenShift Service on AWS obtains FedRAMP “Ready” designation

We’re pleased to announce that the Red Hat FedRAMP offering, which includes Red Hat OpenShift Service on AWS (ROSA), has obtained the “Ready” designation from the FedRAMP Joint Authorization Board (JAB). This means that Red Hat is now listed on the FedRAMP Marketplace as actively pursuing JAB authorization, with additional updates showing our progress and achievements across the two paths for authorization: The existing Agency Authority to Operate (ATO) listing and a separate listing for the JAB path. This is the next major milestone from our August 2023 update, where Red Hat was prioritized for an authorization from the JAB following our Readiness Assessment Report being accepted by the JAB.

But why are there two paths and two listings? There are two types of authorization granted as part of the FedRAMP certification process. Red Hat currently has an Agency authorization through the National Oceanic and Atmospheric Administration (NOAA) but Red Hat is now adding to its authorizations by working with the JAB to obtain a Provisional Authorization to Operate (P-ATO). By going through the JAB process, Red Hat’s ATO with NOAA is still valid and customers are still able to fully use and deploy Red Hat product offerings, which include ROSA and the approved Red Hat Insights for RHEL service, with full confidence.

Understanding JAB and a Look Forward

The JAB Authorization process has multiple stages designed around the “fail fast” principle, which aims to more quickly identify and remediate potential problems. As mentioned above, there are two paths to FedRAMP authorization- agency and JAB. One of the main differences between the JAB and Agency authorizations is that the JAB does not accept residual risk on behalf of potential future customers (e.g. agencies), leading the board to offer a “provisional” ATO. That means cloud service providers (CSPs), like Red Hat, are held to a higher standard than what an agency process can entail. Agencies can then review this authorization knowing that the strictest of standards were maintained.

Red Hat is currently in the middle of testing with a Third-Party Assessment Official (3PAO) for our FedRAMP JAB Security Assessment, which will bring us closer to our next goal of a Provisional Authority to Operate (P-ATO).

As Red Hat completes the JAB Security Assessment, where artifacts like the System Security Plan (SSP), authorization boundary diagrams, Plan of Actions and Milestones (POA&M), and various processes and procedures are reviewed, a Security Assessment Report (SAR) is issued to the JAB. Once the JAB determines that ROSA is successfully meeting government requirements, it will issue the P-ATO.

With a JAB authorization, Red Hat will be able to streamline its continuous monitoring practices to increase internal efficiency while delivering a highly scrutinized, leading managed platform. In the meantime, customers can continue to leverage Red Hat’s current FedRAMP Agency-authorized product.