On October 27, 2023, the Office of Management and Budget (“OMB”) released a draft memorandum for public comment regarding Modernizing the Federal Risk and Authorization Management Program (“FedRAMP”) (the “Draft Memo”). The Draft Memo comes almost one year after Congress passed the FedRAMP Authorization Act (the “Act”) as part of the Fiscal Year 2023 National Defense Authorization Act, which codified FedRAMP.Continue Reading Time for An Upgrade: OMB Releases Draft Memorandum Modernizing FedRAMP

On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.Continue Reading White House Provides New Guidance & Extends Deadline for Secure Software Attestations

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on the secure software development common self-attestation form to be completed by software producers that sell software to the federal government. Federal agencies are scheduled to begin collecting attestation forms for critical software by June 2023 and for all other software by September 2023.Continue Reading CISA Releases Proposed Security Attestation Form for Software Producers

The Federal Risk and Authorization Management Program (FedRAMP) Program Management Office recently released a revised version of its Obligations and Compliance Standards document for third party assessors – the organizations that conduct reviews and enable security authorizations for cloud service offerings to the federal government. The revised document seeks to further define the performance and compliance expectations for third party assessors (3PAOs) and incorporates changes stemming from the FedRAMP Authorization Act, which was enacted as part of the Fiscal Year 2023 National Defense Authorization Act and codified FedRAMP. The revisions reflect recent trends in cyber and supply chain security, focusing on identifying potential foreign influence and enhancing transparency with respect to the activities conducted by the third party assessors. Continue Reading Reassessed: FedRAMP Releases Revised Obligations and Standards for Cybersecurity Assessors

In response to widespread interest in allowing more small business participation in opportunities involving cloud computing, the Small Business Administration (“SBA”) has decided to exclude cloud computing from the limitation
Continue Reading Small Business Subcontracting for Cloud Computing Gets Easier

Each year, the Government purchases more and more cloud computing from contractors.  But while many small businesses can provide cloud computing, the current rules associated with small business set-aside contracts prevent agencies from awarding prime contracts with a large cloud computing component to small businesses.
Continue Reading More Opportunities On the Horizon for Small Businesses Seeking to Sell Cloud Computing to the Government

Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents.  The interim rule will apply “to all contractors with covered defense information transiting their information systems,” an estimated 10,000 contractors.  Additionally, in an effort to ensure acquisition uniformity across the Department, the interim rule implements DoD policies and procedures to be used when contracting for or utilizing cloud computing services.  Due to “urgent and compelling reasons,” the rule was issued without an opportunity for public comment.
Continue Reading DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule

On November 18, 2014, the General Services Administration (“GSA”) hosted an Industry Day seeking feedback on its proposal to add a Cloud Computing Special Item Number (“SIN”) on  its IT Multiple Award Schedule 70 (“MAS IT-70”).  A SIN is GSA’s categorization method that groups similar products, services, and solutions together to make the acquisition process easier.  This move is not surprising in light of the Government’s “Cloud First” policy (announced in 2011), which requires agencies to evaluate cloud computing options “whenever a secure, reliable, and cost-effective option exists.”  Further, GSA’s latest proposal noted that a cloud SIN “would … enabl[e] agencies to take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost.”  In the end, by offering a cloud-specific SIN, GSA hopes to drive more value into the schedules program by providing cloud-based options more rapidly and easily than before.  This article will give you a brief overview of the new, proposed SIN.
Continue Reading Shopping for the Cloud Made Easy – GSA’s Special Item Number Project for Cloud Computing and Request for Comments