The Joint Authorization Board (JAB) previously provided approval letters for annual assessments and significant changes. Now that the JAB no longer exists, will anyone provide these letters? How do agency customers know these have been approved?

Cloud Service Offerings (CSOs) that were previously authorized by the Joint Authorization Board (JAB) should engage directly with their agency customers. Approval letters previously delivered by the former JAB are no longer required. CSOs should implement collaborative continuous monitoring to include the review of system documentation and working with their agency customers to determine whether the CSO’s risk posture remains acceptable on an ongoing basis.