The cloud landscape and federal technology have evolved drastically since the Federal Risk and Authorization Management Program was created more than a decade ago. Because of that, the Office of Management and Budget realizes it needs to enhance and better tailor the cloud authorization program to today’s cloud and security environment.
That’s the driver behind new draft guidance OMB issued Friday meant to modernize FedRAMP by setting a plan in place to scale the program, bolster security reviews of commercial cloud providers and accelerate federal adoption of those commercial cloud platforms.
“[T]he FedRAMP framework was built for a smaller job at a simpler time, and today’s cloud challenges are different. In the last decade, the security environment has become more complex, and the diversity of cloud services has grown dramatically. There are now many thousands of cloud-based services that Federal agencies could use to serve the American people, including tools for enterprise collaboration, product development, and improving an enterprise’s own cybersecurity,” reads a blog post from OMB on the draft guidance.
As it stands today, FedRAMP — operated by a program office housed in the General Services Administration — has authorized 318 cloud services for use by federal agencies. But, “the tools that agencies need to deliver on their missions are not always included there,” the blog post reads.
Upon its final issuance, the new guidance will replace the original FedRAMP guidance published in 2011, when federal agencies began ramping up the use of cloud. That comes with “an updated vision, scope, and governance structure for the FedRAMP program that is responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established,” reads the draft.
Specifically, the new policy defines what cloud products are subject to FedRAMP requirements, lays out requirements for agencies to use authorized services, outlines the roles and responsibilities of the FedRAMP board and program office, and instills a more transparent and consistent process for security reviews.
As part of the refreshed vision, OMB lays out four strategic goals a modernized FedRAMP should accomplish:
- Lead an information security program grounded in technical expertise and risk management;
- Rapidly increase the size of the FedRAMP marketplace by offering multiple authorization structures;
- Streamlining processes through automation; and
- Leverage shared infrastructure between the federal government and the private sector.
The new policy acknowledges the explosion in usage of software-as-a-service cloud applications across the federal government, whereas the original FedRAMP policy was largely tailored to infrastructure-as-a-service.
It also prioritizes moving agencies and vendors away from government-specific clouds to instead promote the use of providers’ existing commercial clouds, calling on the GSA to develop a plan in the next year to transition agencies away from using government-only clouds.
Deputy Federal CIO Drew Myklegard last month teased the new guidance in a discussion with FedScoop at its annual FedTalks conference, saying: “We’ve seen an exponential growth every couple of years of these SaaS providers and the tools. But what we haven’t seen is similar exponential growth in their adoption, at least like ATO-ed [authority to operate], secured and monitored by the CIOs out there of those types of products.”
The security landscape has also changed, and that requires “the Federal Government to be an early adopter of innovative new approaches to cloud security offered and used by private sector platforms” to keep a step ahead of adversaries, the draft guidance says.
Updated guidance comes after the passage of the FedRAMP Authorization Act in 2022 and the subsequent establishment of the Federal Secure Cloud Advisory Committee. That committee has been meeting regularly in recent months.
OMB engaged the committee and a variety of other stakeholders to inform the new guidance.
“In order to design policy that works, it’s critical that we engage stakeholders,” Federal CIO Clare Martorana said in a statement. “We are taking a human-centered policy design approach and soliciting input to learn about how government and industry experience the FedRAMP process and how we could evolve the program to increase its use and drive greater impact.”
Myklegard similarly said in September that OMB has “talked to a lot of agencies and their experiences with FedRAMP, and they talked about a lot of the problems. We listened to probably 30 different agencies and got a lot of great feedback. It’s going to inform the policy.”
Rep. Gerry Connolly, D-Va., the author of the FedRAMP Authorization Act, applauded OMB for its “collaborative efforts with the stakeholder community,” saying he looks forward to the agency’s “continued stewardship of this important law,” he said in a statement.
“Today, OMB took the first step toward updating its decade-old guidance for the FedRAMP Program. This action implements key provisions of my FedRAMP Authorization Act, including the establishment of the FedRAMP Board, the promotion of automation and engagement with industry to drive down the cost and burden of FedRAMP authorization, and the reinforcement of the presumption of adequacy. Recognizing reciprocity is smart for vendors and smart for agencies. If you are approved at one window of government, that approval should carry with you to others,” he said.
The draft guidance is open for public comment through Nov. 27.