It’s been a hot summer so far but Federal Risk and Authorization Program (“FedRAMP”) is just starting to heat up. In June, FedRAMP (the Federal government’s program for security authorizations for cloud solutions) released the final Emerging Technology Prioritization Framework, which outlines the prioritization of certain artificial intelligence capabilities. In mid-July, FedRAMP announced its Agile Delivery pilot program, which is a new process for reviewing significant changes without the need for advanced approval. FedRAMP also announced a new technical documentation hub (automate.fedramp.gov) that focuses on provided support to cloud service providers in the development of digital authorization packages. Lastly, just as the heat wave in Washington, D.C. ended, FedRAMP published the final version of the FedRAMP OMB Memo (“OMB Memo”) on July 26, 2024. The OMB Memo revamps FedRAMP through changes to the authorization paths and continuous monitoring and incident response processes, as well as enhancements through automation. Below are key points to know about each FedRAMP update released this summer.Continue Reading Summer Heat Ramping Up: FedRAMP Releases Final OMB Memo and Announces Update on Roadmap Progress, Automation Site Launch, and the Agile Delivery Pilot Launch
Cloud Computing
Time for An Upgrade: OMB Releases Draft Memorandum Modernizing FedRAMP
On October 27, 2023, the Office of Management and Budget (“OMB”) released a draft memorandum for public comment regarding Modernizing the Federal Risk and Authorization Management Program (“FedRAMP”) (the “Draft Memo”). The Draft Memo comes almost one year after Congress passed the FedRAMP Authorization Act (the “Act”) as part of the Fiscal Year 2023 National Defense Authorization Act, which codified FedRAMP.Continue Reading Time for An Upgrade: OMB Releases Draft Memorandum Modernizing FedRAMP
White House Provides New Guidance & Extends Deadline for Secure Software Attestations
On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.Continue Reading White House Provides New Guidance & Extends Deadline for Secure Software Attestations
CISA Releases Proposed Security Attestation Form for Software Producers
The Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on the secure software development common self-attestation form to be completed by software producers that sell software to the federal government. Federal agencies are scheduled to begin collecting attestation forms for critical software by June 2023 and for all other software by September 2023.Continue Reading CISA Releases Proposed Security Attestation Form for Software Producers
Reassessed: FedRAMP Releases Revised Obligations and Standards for Cybersecurity Assessors
The Federal Risk and Authorization Management Program (FedRAMP) Program Management Office recently released a revised version of its Obligations and Compliance Standards document for third party assessors – the organizations that conduct reviews and enable security authorizations for cloud service offerings to the federal government. The revised document seeks to further define the performance and compliance expectations for third party assessors (3PAOs) and incorporates changes stemming from the FedRAMP Authorization Act, which was enacted as part of the Fiscal Year 2023 National Defense Authorization Act and codified FedRAMP. The revisions reflect recent trends in cyber and supply chain security, focusing on identifying potential foreign influence and enhancing transparency with respect to the activities conducted by the third party assessors. Continue Reading Reassessed: FedRAMP Releases Revised Obligations and Standards for Cybersecurity Assessors
Small Business Subcontracting for Cloud Computing Gets Easier
In response to widespread interest in allowing more small business participation in opportunities involving cloud computing, the Small Business Administration (“SBA”) has decided to exclude cloud computing from the limitation…
Continue Reading Small Business Subcontracting for Cloud Computing Gets Easier
More Opportunities On the Horizon for Small Businesses Seeking to Sell Cloud Computing to the Government
Each year, the Government purchases more and more cloud computing from contractors. But while many small businesses can provide cloud computing, the current rules associated with small business set-aside contracts prevent agencies from awarding prime contracts with a large cloud computing component to small businesses.
Continue Reading More Opportunities On the Horizon for Small Businesses Seeking to Sell Cloud Computing to the Government
Get Your Head In The Cloud!
Are you or your company on the cloud? In 2018, the answer is most certainly a resounding “YES!” What do you need to know about your DATA, your OPPORTUNITIES, and…
Continue Reading Get Your Head In The Cloud!
Foggy on the Cloud?
Let the 2015 Cloud Computing Legal Deskbook help…
Continue Reading Foggy on the Cloud?
DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule
Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents. The interim rule will apply “to all contractors with covered defense information transiting their information systems,” an estimated 10,000 contractors. Additionally, in an effort to ensure acquisition uniformity across the Department, the interim rule implements DoD policies and procedures to be used when contracting for or utilizing cloud computing services. Due to “urgent and compelling reasons,” the rule was issued without an opportunity for public comment.
Continue Reading DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule
Shopping for the Cloud Made Easy – GSA’s Special Item Number Project for Cloud Computing and Request for Comments
On November 18, 2014, the General Services Administration (“GSA”) hosted an Industry Day seeking feedback on its proposal to add a Cloud Computing Special Item Number (“SIN”) on its IT Multiple Award Schedule 70 (“MAS IT-70”). A SIN is GSA’s categorization method that groups similar products, services, and solutions together to make the acquisition process easier. This move is not surprising in light of the Government’s “Cloud First” policy (announced in 2011), which requires agencies to evaluate cloud computing options “whenever a secure, reliable, and cost-effective option exists.” Further, GSA’s latest proposal noted that a cloud SIN “would … enabl[e] agencies to take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost.” In the end, by offering a cloud-specific SIN, GSA hopes to drive more value into the schedules program by providing cloud-based options more rapidly and easily than before. This article will give you a brief overview of the new, proposed SIN.
Continue Reading Shopping for the Cloud Made Easy – GSA’s Special Item Number Project for Cloud Computing and Request for Comments