On October 27, 2023, the Office of Management and Budget (“OMB”) released a draft memorandum for public comment regarding Modernizing the Federal Risk and Authorization Management Program (“FedRAMP”) (the “Draft Memo”). The Draft Memo comes almost one year after Congress passed the FedRAMP Authorization Act (the “Act”) as part of the Fiscal Year 2023 National Defense Authorization Act, which codified FedRAMP.
The Draft Memo provides an updated vision for FedRAMP with strategic goals and responsibilities for implementation, outlines improvements to the FedRAMP authorization and continuous monitoring processes, discusses the need to leverage automation wherever possible, and encourages key government stakeholders to collaborate with industry to maintain an understanding of new technologies and build a strong relationship that will benefit the commercial cloud sector and the Federal community.
The purpose of FedRAMP is to increase the adoption and secure use of commercial cloud solutions by the Federal community. When the program was founded in 2011, the Federal government was focused on facilitating secure use of commercially available infrastructure-as-a-service (“IaaS”) solutions but, as the Draft Memo points out, the commercial cloud marketplace has grown and changed in recent years, most notably due to the increase in remote work as a result of the COVID-19 pandemic, which has led to an increase in available software-as-a-service (“SaaS”) solutions and reliance on the SaaS market. The initiatives outlined in the Draft Memo acknowledge this changing landscape and aim to provide a more streamlined and accessible approach to security assessment and authorization of commercial cloud solutions.
The Draft Memo discusses necessary enhancements and changes, including new authorization types, for modernizing FedRAMP. Below are a few key highlights from the Draft Memo:
- The Draft Memo clarifies what is in-scope for FedRAMP Authorization. Commercially offered cloud products and services (such as Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service) that host information systems that are operated by an agency, or on behalf of an agency by a contractor or other organization are within the scope of FedRAMP, as are cross-Government shared services that host any information system operated by an agency, or by a contractor of an agency or another organization on behalf of an agency. Note, the term “on behalf of an agency” has been defined in a recent proposed rule standardizing cybersecurity requirements for unclassified federal information systems (discussed in detail here). Because it is not defined in the Draft Memo, this term and its relation to the proposed rule may be a popular topic in the public comments.
- There will be more pathways to FedRAMP authorization. Say goodbye to the JAB P-ATO. FedRAMP is restructuring its authorization process into four categories. Note as set forth in the FedRAMP Authorization Act, any of the below authorizations comes with a presumption of adequacy; an agency that requires additional authorization work will be required to document why it deems the FedRAMP authorization insufficient.
- A “single-agency authorization” that appears to be akin to the prior agency authorization process, which indicates the cloud service offering’s security posture is consistent with agency standards and the agency’s risk tolerance. Other agencies with similar needs will be able to reuse this authorization.
- A “joint-agency authorization” that, according to the Draft Memo, is similar to the prior FedRAMP JAB P-ATO process. However, unlike the JAB P-ATO process, the joint-agency authorization process allows two or more agencies to collaborate with FedRAMP to issue an authorization based on similar agency needs and an acceptable risk posture for use of the cloud service offering.
- A “program authorization” that allows the FedRAMP PMO to assess the cloud service offering. This authorization type is intended to enable agencies to use a cloud service offering for which FedRAMP reasonably anticipates substantial Federal government use. It is likely a welcome change as it will alleviate the burden on companies seeking FedRAMP authorization to secure their own agency sponsor, which has been difficult in some cases. It remains to be seen how the FedRAMP PMO will allocate resources and determine which CSPs will receive this type of authorization. We anticipate public comments will seek clarity regarding this authorization type.
- “Any other type of authorization” to be designed by the FedRAMP PMO and approved by the FedRAMP Board to “further promote the goals of the FedRAMP program.” The Draft Memo also discusses the possibility of developing criteria for prioritizing certain cloud products and services expected to receive a FedRAMP authorization, which would be developed by GSA in consultation with the FedRAMP Board and the Chief Information Officers Council, and a preliminary authorization that would permit an agency to use a cloud product or service on a trial basis for a limited period of time but not to exceed twelve months. Both of these potential authorization processes likely will be a popular topic in the public comments.
- FedRAMP plans to update its security baselines with CISA to align with a threat-based analysis. The Draft Memo emphasizes the need for the FedRAMP authorization process to “leverage the use of threat information to prioritize control selection and implementation.” As such, FedRAMP plans to produce, in collaboration with the Cybersecurity and Infrastructure Security Agency (“CISA”), updated security baselines that align with a threat-based analysis and focus on the application of the controls that address the most salient threats.
- The FedRAMP Marketplace is getting an upgrade. Currently, the FedRAMP Marketplace is the go-to location for finding all cloud products and services that have completed, or are currently going through, the FedRAMP authorization process. Based on its restructured authorization categories, the Draft Memo anticipates the need for a more robust FedRAMP Marketplace to handle the influx of new FedRAMP authorized cloud products and services.
- FedRAMP Ready will be explored as possible solution for increasing participation of small or disadvantaged businesses. FedRAMP Ready is a status indicating a cloud product or service has undergone a readiness assessment and has been deemed acceptable by the FedRAMP PMO. The Draft Memo encourages FedRAMP to further explore the FedRAMP Ready status and potentially use FedRAMP Ready “to help on-ramp additional small or disadvantaged businesses who may provide novel and important capabilities, but could face challenges in accessing the Federal marketplace.” Participation by small or disadvantaged businesses, or the lack thereof, has been a topic of discussion related to FedRAMP and other Federal government cybersecurity programs and standards.
- GSA must establish a means of automating FedRAMP security assessments and reviews by December 23, 2023. During a recent Federal Secure Cloud Advisory Committee (“FSCAC”) meeting regarding the Cloud Service Provider (“CSP”) authorization process, it was noted that the average timeline for FedRAMP authorization is 5-6 months. In an effort to shorten that timeframe and increase the number of cloud products and services authorized each year, as well as streamline the continuous monitoring process that consists of monthly and annual assessments, FedRAMP must establish ways to automate the FedRAMP authorization process and optimize the program for efficiency and consistency. The FedRAMP PMO will work with OMB, the National Institute of Standards and Technology (“NIST”) and CISA, as well as industry providers of risk and compliance tools, to implement the requirement for submission of machine-readable artifacts, standardize data that facilitates interoperability, and to develop and publish relevant standards for this transition.
- FedRAMP may leverage external security control assessments and evaluations to speed up the authorization process. The Draft Memo notes that certain cloud service offerings already have implemented or received certifications for external security frameworks, but FedRAMP still performs an assessment of these frameworks each time a cloud service product or service leveraging these frameworks goes through the FedRAMP authorization process. FedRAMP will work on standards to leverage external security control assessments and evaluations and designate certifications that can serve as a full FedRAMP authorization (this likely will only apply to lower-risk cloud service offerings). This could be a welcome sign that companies may be able to leverage eventual certifications under the DoD’s CMMC program, and vice versa.
- The Draft Memo encourages FedRAMP to develop an improved continuous monitoring process, which may include “special reviews” by FedRAMP. The Draft Memo charges FedRAMP with the responsibility of incentivizing security through agility of development and deployment. This includes revamping the “significant change” process, which currently requires CSPs to perform an assessment and seek government approval for certain changes to their environments. The Draft Memo contemplates collaboration with CSPs to develop and maintain a deployment lifecycle that does not require advanced government approval for upcoming security-relevant changes but also provides the Federal government with necessary information. Continuous monitoring also may include “special reviews” of authorized CSPs by the FedRAMP PMO. The Draft Memo does not specify the criteria to be used to determine if there will be a special review, but these must be approved by the FedRAMP Board. Further, “expert-lead ‘red team’ assessments” may be conducted on any CSP at any time, which will be an area for comment because it appears to provide the FedRAMP PMO with unfettered discretion to initiate further assessment.
- The Draft Memo also encourages FedRAMP to avoid incentivizing bifurcation of cloud services into commercial- and federal-focused instances. Instead, FedRAMP should transition away from government-focused infrastructure and promote use of the same infrastructure relied upon by commercial customers. This is a topic that will need to be further developed because of the current cloud deployment models and restrictions regarding the types of customers permitted in a Federal cloud environment.
- FedRAMP must continue to act as the bridge between the Federal community and the commercial cloud marketplace. The Draft Memo strongly encourages GSA and the FedRAMP Board to engage with industry stakeholders, through the FSCAC and other appropriate mechanisms and also encourages obtaining industry feedback on how to improve agency reuse of FedRAMP authorizations, increase the number of authorizations of cloud products or services offered by small or disadvantaged businesses, and reduce the burden and cost of the authorization process for Federal agencies and industry.
The Draft Memo requires agencies to issue or update agency-wide policy that aligns with the requirements of the Draft Memo within 180 days of the issuance of the Draft Memo, and, within the same timeframe, FedRAMP must update its continuous monitoring process guidance and associated documentation. Within one year of the issuance of the Draft Memo, GSA must provide a plan to “structure FedRAMP to encourage the transition of Federal agencies away from the use of government-specific cloud infrastructure.”
The public comment period began on October 27, 2023 and ends on November 27, 2023. To submit a public comment, utilize this link. Because obtaining feedback from and engaging with industry is one of the points emphasized by the Draft Memo, it is critical for industry stakeholders to submit public comments for consideration as OMB, FedRAMP, and other key Federal government stakeholders develop the requirements needed to modernize FedRAMP.