The Office of Management and Budget will extend the public comment period until late December for its new Federal Risk and Authorization Management Program (FedRAMP) draft guidance, the deputy federal CIO told FedScoop.
While the comment period has so far been fruitful, the points and questions brought to the agency’s attention have also been “challenging,” Drew Myklegard, the deputy federal CIO, said during a fireside chat Thursday at CyberTalks. And because of that, OMB needs additional time to take those into account and continue to converse with the public.
OMB issued the draft FedRAMP guidance late last month, broadly pushing to scale FedRAMP-approved products and adoption across government, enhance security and more widely automate FedRAMP processes.
Speaking to the extension, Myklegard said: “We’re doing that because we really think there’s a great conversation going on. We want to continue that. Some of the feedback that we got was actually really challenging.”
A notice in the Federal Register will be going out Nov. 20 extending the comment period through Dec. 22 “to allow additional time for the public to review and comment on the initial proposals.” The original deadline was Nov. 27.
Myklegard’s comments came a day after OMB and the General Services Administration — which houses the FedRAMP program management office — hosted a public engagement forum. He said “about 400 people” showed up to that, “which is a great turnout for an OMB memo.”
The deputy federal CIO shared that the topics that commenters have been most focused on have been reciprocity between FedRAMP and other cloud security authorization programs, control validation and presumption of adequacy for vendors across federal agencies.
“So ensuring that if, when a company does go through the FedRAMP process, that they can then … take that document and take it from agency to agency and it will be accepted,” Myklegard said.
He added that the public has also made OMB aware that it needs to go back to the drawing board with some language and concepts promoted in the guidance. On security and red teaming, he said, “that means a lot of different things to different companies and we need to go back and examine what exactly we want to try and achieve as outcomes with red teaming.”
Similarly, with shared infrastructure, OMB is revisiting how to motivate cloud service providers to merge their commercial offerings and government-focused offerings together “so the government gets the best product with the best features and the best security,” Myklegard said.
And finally, the administration wants to make it less burdensome for vendors to “run the gauntlet of FedRAMP,” he said, adding that OMB has received comments about possibly using open-source templates that could help with that.
“There’s a lot of room in the FedRAMP process with friction and [manual] steps that are causing too long of times from when people identify a product that they need until they can employ it,” Myklegard said of the need for the updated guidance.
Myklegard didn’t know exactly when the final guidance could drop because the extension will push that out a bit.
“Obviously, it’s gonna be a little bit longer because we’re extending the time period, but we’re gonna work diligently to get those comments included. Depending on how much change we make in the memo, it will determine how much review we have to do. We’ll put that back out to the agencies to make sure we get their feedback, because they’re going to be the ones implementing it.”
“So it’s critical that they are going to have the resources and be aligned to do that. Then you should see it like early 2024,” he said.
Editor’s Note, 11/17/2023 at 3:38 p.m.: This story has been updated with additional information on the extension that will be published in the Federal Register.