To dramatically scale up the Modernizing the Federal Risk and Authorization Management Program (FedRAMP) marketplace, the Office of Management and Budget (OMB) has completely rewritten FedRAMP’s vision, scope and governance structure. OMB rescinded its memorandum from 2011 establishing FedRAMP and replaced it with a new memorandum updating FedRAMP.

As we’ve previously highlighted, FedRAMP recently revealed major changes to its program, announcing its roadmap to upcoming changes and releasing pilot programs and new FedRAMP resources.

OMB’s July 25^th memorandum on Modernizing the Federal Risk and Authorization Management Program (“FedRAMP”) has now rewritten the program, echoing the vision illustrated by FedRAMP’s recent forums and posts.

These wide-ranging changes will have a major impact on cloud service providers (CSPs) that wish to provide their cloud services to federal agencies.

The Vision: Growing the Marketplace

FedRAMP intends to exponentially expand the number of cloud service offerings within the FedRAMP marketplace. Currently, there are an estimated 17,000 software as a service (SaaS) providers in the United States, many of which offer multiple SaaS products.[1] Despite this thriving domestic SaaS market, only 338 services, including SaaS, infrastructure as a service (“IaaS”), and platform as a service (“PaaS”), are currently FedRAMP authorized.[2] OMB intends to drastically increase this number, stating, “The FedRAMP Marketplace must scale dramatically to enable Federal agencies to work with many thousands of different cloud-based services that accelerate key agency operations while allowing agencies to reduce the footprint of the information technology (IT) infrastructure that they directly manage.”

OMB is not only focused on providing federal agencies with the ability to use more commercially available SaaS products but also focused on the security advantages associated with being an early adopter. “Keeping a step ahead of adversaries requires the Federal Government to be an early adopter of innovative new approaches to cloud security offered and used by private sector platforms.”

The number of CSPs with authorized offerings has remained low due to the high cost and complexities associated with acquiring a FedRAMP authorization. As explained in its earlier roadmap, OMB seeks to overcome these challenges by relying on a standardized, reusable approach to security assessments and FedRAMP authorizations for cloud computing products and services.

In addition to the structural changes and further establishing responsibilities for the parties implementing FedRAMP, OMB set forth four main strategic goals to accomplish its vision:

1. Base the FedRAMP program on risk management.
2. Offer multiple authorization paths.
3. Use automation to streamline FedRAMP processes.
4. Leverage shared infrastructure between the federal government and the private sector.

(1) Base the FedRAMP program on risk management

OMB plans to consult with industry and security experts across the federal government to ensure that FedRAMP is focused on the most impactful security features and addresses the most relevant threats. This new focus on precision differs from the previous version of FedRAMP, which was created to secure traditional data center environments. OMB intends to use a quicker and more flexible approach designed for modern cloud service offerings by addressing risks through conducting rigorous reviews and rapidly identifying and mitigating weaknesses in security architecture.

(2) Offer multiple authorization paths

OMB intends to offer additional paths to FedRAMP authorization, alleviating some of the time, money and complexity challenges faced under FedRAMP’s previous implementation. OMB sets forth two familiar paths to authorization, but it explains that FedRAMP will develop alternative authorization paths not mentioned in the memorandum.

The two methods specified in the memorandum are (1) agency authorization and (2) program authorization. Although their descriptions are reminiscent of the previously used authorization methods, FedRAMP’s restructuring and updates to the required authorization materials confirm that these two traditional authorization paths will also see significant changes.

In discussing FedRAMP authorization, OMB continues to emphasize the importance of ensuring that authorized cloud offerings meet the necessary level of security to support the statutory presumption of adequacy leading to their reuse at the appropriate Federal Information Processing Standards Publication (“FIPS”) 199 impact level.

(3) Use automation to streamline FedRAMP processes

FedRAMP has previously published materials detailing its efforts to automate the required FedRAMP deliverables through the use of the common machine-readable language Open Security Controls Assessment Language (OSCAL). OMB instructs FedRAMP to use OSCAL “or any succeeding protocol as defined by FedRAMP” to establish an automated process for the intake, use and reuse of security assessments and reviews.” Through automation, FedRAMP seeks to reduce the effort necessary to create FedRAMP deliverables and the time required to review them, streamlining the initial authorization and continuous monitoring processes required by the FedRAMP program.

(4) Leverage shared infrastructure between the federal government and the private sector.

OMB hopes to use the FedRAMP program to encourage companies to improve the security of all of their cloud products – not merely its federal products. It is currently a common practice to separate cloud offerings for government use from general use. OMB seeks to incentivize commercial CSPs to integrate the FedRAMP security requirements into their core services for all customers. “FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations” (emphasis added).

The PMO and FedRAMP Board

While there are multiple stakeholders involved in the new FedRAMP program, structurally FedRAMP consists of two parts: (1) the program management office (PMO); and (2) the FedRAMP Board. The PMO is responsible for operating the FedRAMP security authorization process. The FedRAMP Board is responsible for establishing guidelines and requirements for FedRAMP security authorizations.

The FedRAMP Board will consist of up to seven senior officials or experts from agencies appointed by OMB and must include at least one representative from each of the General Services Administration, Department of Homeland Security and Department of Defense. These board members must possess technical expertise in cloud computing, cybersecurity, privacy, risk management and other competencies identified by OMB.

Taking Action

Shortly after OMB published its memorandum, FedRAMP announced its key performance metrics for public comment, requesting public feedback on a proposed set of metrics that would measure the end-to-end FedRAMP authorization experience. Comments on these metrics are due by Thursday, Aug. 29, at 11:59 p.m. EDT.

FedRAMP intends to use this feedback to focus and refine the metrics list to a set of measures that will keep FedRAMP focused on security and customer experience.

Entities interested in FedRAMP authorization can take advantage of this development period to submit comments and influence how FedRAMP operates for years to come.

[1] See https://colorlib.com/wp/saas-statistics/

[2] See https://marketplace.fedramp.gov/products

[View source.]