New guidance aims to make FedRAMP ‘a security-first program,’ OMB official says

As IT professionals across the federal government process the long-awaited FedRAMP modernization guidance released last month, one of the key figures behind the document is calling attention to its emphasis on “real-world threat assessment.”

Laura Gerhardt, director of technology modernization and data at the Office of Management and Budget, said during an Advanced Technology Academic Research Center event last week that the prioritization of threat assessments is part of an overarching strategy to position FedRAMP and its updated guidance as “a security-first program.”

“You’ll see [specifically] a couple mentions to red-teaming,” Gerhardt said, as well as “security reviews that can happen sort of at the request of the FedRAMP board, potentially in light of particular events or even emerging threat vulnerabilities.”

The goal with those security-focused callouts, Gerhardt said, is to instill federal agencies with confidence in meeting the document’s cybersecurity requirements, while also leaning into “adaptability” and “taking advantage of the unique capabilities of cloud.”

The first goal listed in the new memo is for FedRAMP to “lead an information security program grounded in technical expertise and risk management.” The cloud modernization program “must be capable of conducting rigorous reviews and identifying and requiring cloud service providers to rapidly mitigate weaknesses in their security architecture,” the document notes. 

Since the release of the guidance, Gerhardt said OMB has been especially focused on helping agencies familiarize themselves with the changes and “making sure that the capabilities meet the mission need in an ongoing and iterative way.” Avoiding “duplicative security assessments” was another top priority, spelled out most clearly in the guidance’s embrace of the “presumption of adequacy.”

Introduced in a previous FedRAMP authorization bill, the concept of presumed adequacy refers back to the authorization process. If a cloud product or service completes that process, FedRAMP is essentially guaranteeing that security protocols have been followed and the product is “presumptively adequate for use by federal agencies,” per the updated guidance.

“We’re thinking that’s going to increase for use,” which “can drive down costs, hopefully,” Gerhardt said. “And so our goal is to really lean into that presumption of adequacy once it’s authorized [and] the controls are assessed throughout the federal community for use, and we also want to make sure that the agencies understand the underlying assessment so they can trust it and use it.”

Artificial intelligence also makes its presence felt in the new guidance, with the technology examined as part of the FedRAMP security assessment review. The memo calls for a pilot within FedRAMP to “determine feasibility and utility in an effort to improve security outcomes and scalability.”

Gerhardt said the team behind the guidance “heard loud and clear” from public comments the desire to incorporate AI into the program. The new FedRAMP advisory board, she said, would collaborate with a General Services Administration team to figure out how AI could be leveraged for assessing security controls and for continuous monitoring. 

FedRAMP is currently looking for industry partners specializing in generative AI, chatbots, debugging tools, image generation and API versions to build those capabilities into existing federal ecosystems. The initial round of prioritization will run through the end of this month, Gerhardt said.

“Now is a great time … to work with those industry partners and help make sure that they’re aware of the emerging technology prioritization framework,” she said. “Because I firmly believe that there’s a lot of opportunities here and want to make sure that we’re supportive of that through the prioritization.”

With the updated guidance still in its early days, Gerhardt said FedRAMP leaders and especially the new advisory board are aiming to be “a lot more strategic” in their focus on helping federal agencies navigate the space. 

There’s also recognition that “a lot of this work is incredibly technical,” she said, so FedRAMP’s Program Management Office is bolstering its staff with more “technical expertise.”

That technically savvy workforce, Gerhardt said, should be a resource to agencies on “what FedRAMP is thinking in terms of moving forward guidance and making sure it’s realistic, it’s practical.”