FedRAMP ‘undeniably’ in state of limbo without final OMB modernization guidance, Rep. Connolly says
As the federal government awaits final guidance from the Office of Management and Budget meant to modernize and reform the Federal Risk and Authorization Management Program, one of Capitol Hill’s top federal IT modernization advocates believes that the program is “undeniably” in a state of limbo until that guidance is issued.
In a statement to FedScoop, Rep. Gerry Connolly, D-Va. — the author of the FedRAMP Authorization Act, which codified the program in January 2023 so that agencies had a common security framework that was more efficient and cost-effective — listed the absent guidance among other issues like agency backlogs and the vacancy of the FedRAMP director role as contributors to the program’s current state.
In October 2023, OMB issued draft guidance, officially kicking off its campaign to modernize FedRAMP and soliciting feedback from the public to guide its work toward a final policy memo. Not long after, in November, the agency extended the comment period after receiving fruitful but “challenging” feedback from the public.
Despite his criticism of OMB not yet releasing the final directive, Connolly said that FedRAMP is in fact progressing in the right direction.
“But, when we started all of this, we were in the inferno,” Connolly said. “So being in limbo is, in fact, an improvement. We have a lot of good news to talk about with FedRAMP…. My hope is that we can maintain progress and ensure the program is delivering for the government and FedRAMP stakeholders.”
Connolly also pointed to the administration’s move to promote the presumption of adequacy in its draft guidance, the “growing marketplace,” software-as-a-service payment clarity and new initiatives led by the General Service Administration, such as the Emerging Technology Prioritization Framework, as positive steps for the program.
Deputy Federal CIO Drew Myklegard shared a similar sentiment that, though the final policy hasn’t yet been published, what will eventually be released will reflect many practices and improvements that have already taken effect within FedRAMP.
Myklegard pointed to the technical advisory group, which the General Services Administration announced in collaboration with OMB in May, as an example of how elements of the final policy have led to positive change before it is issued.
“So what we’re really excited about is when we put [the draft memo] out for public comment, we were very close to where it’ll end up,” Myklegard said in an interview with FedScoop. “We got some great feedback, and we did some sessions with industry — it showed that we needed to focus on agency.”
Speaking at the 2024 GovForward: ATO and Cloud Security Summit event Thursday, where both Connolly and Myklegard addressed current needs for the program and upcoming changes, the deputy federal CIO said the memo is coming about the same way that one builds software. “Which is: Come up with a hypothesis, build it and then we’ll put it into policies.”
On the program side, GSA has been significantly active of late doing its own work to modernize FedRAMP. Recently, the agency announced an overhaul of its priorities and released a new roadmap for the program. And in an interview with FedScoop last month, Eric Mill, the executive director for cloud strategy at GSA’s Technology Transformation Services, detailed many new pilot efforts underway to streamline the cloud security authorization process and reported that the agency is in the final stages of hiring a new FedRAMP director.
