The Federal Risk and Authorization Management Program (FedRAMP) was created over a decade ago to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and service used by Federal agencies. Embracing the dynamic advancements in cloud technology, FedRAMP has recognized the importance of modernizing to keep pace with the rapid developments in the cloud landscape. The Office of Management and Budget (OMB) released a draft memorandum in October 2023 that outlined a comprehensive FedRAMP framework, emphasizing adaptability, automation and cooperation to address evolving cloud service requirements.
An Opportunity for Modernization
As technology continues to evolve, so do the advancement opportunities in the realm of cloud security for Federal agencies. With the expansion of cloud offerings and the increasing demand for cloud-based services, FedRAMP is undergoing a significant overhaul to meet the changing landscape. The new OMB FedRAMP guidance will replace the original guidance published in 2011, a year in which the cloud security climate looked drastically different and less complex than today. Changes to address the evolving threat landscape include tools for enterprise collaboration, product development and improving an enterprise’s own cybersecurity. Having already authorized more than 300 authorized services in the FedRAMP Marketplace, FedRAMP recognizes the need to add more solutions for agencies to have all the required capabilities to deliver on their missions.[1]
OMB aims to address these challenges by establishing a plan to scale the program, bolster security reviews of cloud solutions and accelerate Federal adoption. Drew Myklegard, the Deputy Federal CIO, said during CyberTalks, a gathering of the most influential leaders in cybersecurity and digital privacy, “There’s a lot of room in the FedRAMP process with friction and [manual] steps that are causing too long of times from when people identify a product that they need until they can employ it.” [2]
The New FedRAMP Guidance
Automation and Continuous Monitoring (ConMon) stand at the forefront of FedRAMP modernization as the memo underscores the significance of automation and the use of machine-readable formats for authorization and ConMon artifacts. The new guidance will create a system for automating security assessments and reviews, as well as expand on the initiative to obtain FedRAMP security artifacts solely through automated, machine-readable processes. The General Services Administration (GSA) also plans to update ConMon processes within 180 days and exclusively accepting machine-readable artifacts within 18 months.
By automating security assessments and reviews, FedRAMP is looking to streamline the authorization process, reduce the time and cost of compliance, and improve the accuracy and consistency of security assessments. An added benefit is that automation will help identify and mitigate security risks more quickly and effectively, improving the overall security posture of cloud-based services used by the Federal Government.
The key changes proposed in the new guidance will:
- Reaffirm the presumption of adequacy established in the FedRAMP Authorization Act. This provision establishes that once a CSO achieves FedRAMP Authorization, Federal agencies must presume the offering has adequate security measures for a streamlined reauthorization.
- Recognize the transformation of the cloud marketplace and the need for FedRAMP to adjust its processes, originally tailored to a limited number of Infrastructure as a Service (IaaS) solutions, to now accommodate a vast and growing amount of Software as a Service (SaaS) solutions.
- Introduce a fast-track authorization program for agencies that have demonstrated mature authorization processes and frequently provide the PMO with high-quality authorization packages.
- Propose new authorization types: Joint-Agency and Program authorizations. The Joint Authorization Board (JAB) authorization option is evolving, with all existing JAB authorizations automatically transitioning to Joint-Agency authorizations upon the memorandum’s issuance. Joint-Agency authorizations can pool the resources of any Federal agency to review an authorization package, expanding beyond the DoD, DHS and GSA to include all relevant agencies.
- Define the roles and responsibilities of the newly established FedRAMP Board. The FedRAMP Authorization Act empowered OMB to assume a more active and leading role in FedRAMP, and this memo serves as a notable illustration of that increased involvement.
- Establish a preliminary “pilot” authorization category allowing agencies to test new cloud services for up to twelve months. This authorization pathway would provide agencies and CSPs with an expedited route to market, accelerating the availability of CSOs.
- Streamline authorizations for products that leverage FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions and for products which have obtained external security frameworks that evaluate relevant risks.
- Establish the Technical Advisory Group (TAG) to act as an independent source of Federal Government employees for best practices to enhance the efficiency of FedRAMP’s operations.
Benefits for Federal Agencies
By scaling the program, more cloud service providers will be able to obtain FedRAMP authorization, increasing the availability of authorized cloud services for Federal agencies to use. This will enable agencies to more easily and quickly adopt cloud-based services that meet their specific needs.
Through enhanced security reviews of cloud service offerings, Federal agencies can gain increased confidence in the adherence of the cloud services they utilize to rigorous security standards. Therefore, improving the overall security posture of Federal agencies and reducing the risk of data breaches.
Streamlining the authorization process and offering a broader range of authorized cloud services can help Federal agencies alleviate the costs and administrative burden linked to duplicative security assessments. Overall, agencies will be able to more efficiently and effectively leverage cloud-based services to support their mission and better serve its citizens.
The Future of FedRAMP
Stakeholders are optimistic the new OMB guidance will pave a future for the program that will be more comprehensive, efficient and tailored to the current security environment. As more commercial providers become incentivized to pursue FedRAMP authorization, Federal agencies will have more options when it comes to cloud, and technology vendors will be more suited to achieve FedRAMP authorization success.
To explore more in-depth insights into the OMB Memo view the Carahsoft Guide to Modernizing the Federal Risk Authorization Management Program (FedRAMP). To learn more about Carahsoft’s partner marketplace for FedRAMP certified cloud solutions visit our FedRAMP portfolio and speak to a member of our team today.
Resources:
[1] “Office of Management and Budget Releases Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP).” The White House, https://www.whitehouse.gov/omb/briefing-room/2023/10/27/office-of-management-and-budget-releases-draft-memorandum-for-modernizing-the-federal-risk-and-authorization-management-program-fedramp/.
[2] “OMB extends comment period for new FedRAMP guidance.” FedScoop, https://fedscoop.com/omb-extends-comment-period-for-new-fedramp-guidance/