The White House’s Office of Management and Budget (OMB) released long-awaited guidance today to overhaul the Federal Risk and Authorization Management Program (FedRAMP), replacing the existing policy created for the program when it began in 2011.
FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal agencies.
Today’s guidance aims to reduce pain points and bolster FedRAMP’s role as a cornerstone of Federal cloud security. The guidance places an emphasis on meeting cybersecurity requirements and utilizing automation to alleviate the documentation burden.
The new memo comes after OMB released draft guidance in October to modernize FedRAMP – which is run by the General Services Administration (GSA). OMB reviewed over 160 comments on the draft guidance to help inform the final document.
“This highly anticipated guidance further equips GSA to make it safe and easy for Federal agencies to deploy state-of-the-art technology to deliver better service to the American people,” GSA Administrator Robin Carnahan said in a statement.
“The Biden-Harris administration is committed to realizing the promise of FedRAMP to streamline the process of bringing great tech into government, so that agencies can deliver more effectively for the American people,” Carnahan added. “This guidance will accelerate GSA’s roadmap for FedRAMP and create a stronger foundation for FedRAMP to meet its mission of empowering agencies to deliver better, safer government services.”
Focus on Automation, New Authorization Paths
A big emphasis of the memo is streamlining FedRAMP processes with automation. The memo directs GSA to establish a process for the automation of security assessments and reviews.
“Within 18 months of the issuance of this memorandum, GSA will build on this work to receive FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means, to the extent possible,” the memo says. “Some continuing reliance on documentation may be necessary where machine-readable representations are not possible.”
Within two years, the memo calls on agencies to ensure governance, risk, and compliance (GRC) tools and system-inventory tools can produce and ingest machine-readable authorization packages using Open Secure Control Assessment Language (OSCAL) “or any succeeding protocol as defined by FedRAMP.”
GSA published a roadmap for FedRAMP in March, which said FedRAMP plans to pilot machine-readable “digital authorization packages” with cloud service providers (CSPs) and agencies.
Additionally, FedRAMP launched automate.fedramp.gov earlier this month – a new technical documentation hub designed specifically to support CSPs in the development, validation, and submission of digital authorization packages.
The website is initially focused on documenting FedRAMP’s use of OSCAL to support digital authorization packages, FedRAMP said, but will expand over time as new capabilities are brought online.
The new memo also said OMB and GSA will establish a Technical Advisory Group (TAG) to provide additional subject matter expertise to FedRAMP. GSA unveiled the roster of the TAG back in May.
Another big focus of the memo is to increase the size of the FedRAMP Marketplace by creating additional FedRAMP authorization paths.
“We’re really looking at ways that we can create new authorization paths so we’re not compromising security – if anything we’re trying to hone in the processes so they’re laser-focused on good security outcomes,” Laura Gerhardt, a supervisory policy analyst and the director of technology modernization and data at OMB, said of the change in April. “That’ll build confidence within agencies to leverage the reuse, making sure we’re having conversations about prioritization.”
According to the memo, FedRAMP will create new authorization paths that embrace risk management principles – consistent with National Institute of Standards and Technology (NIST) standards and guidelines – and provide flexibility to agencies.
Within 180 days, the memo directs each agency to issue or update agency-wide policy that aligns with its requirements.
Guidance Receives Praise From Industry, Congress
The memo has already received high praise from both members of Congress and industry, who are welcoming the guidance as a much-needed update to meet today’s tech landscape.
“Today’s release of OMB’s official FedRAMP guidance is good news for Federal agencies and the stakeholders who rely on the FedRAMP process,” Rep. Gerry Connolly, D.-Va., said in a statement to MeriTalk.
“Implementation of the FedRAMP Authorization Act and continued improvements to FedRAMP will ensure the program is executing its mission of cloud safety and security for Federal agencies in a way that does not sacrifice the efficiency and accessibility that stakeholders need to engage with the Federal government,” Rep. Connolly added. “I commend the Biden-Harris administration for their commitment to this issue. I look forward to working with stakeholders to ensure this guidance meets the mark as well as leading Congress’ continued oversight of this essential program.”
Brian Conrad, who stepped down from his position as acting director of the FedRAMP program in March, called the new guidance “a timely update to the original memorandum,” adding that it “emphasizes the importance of automated and reusable authorization processes, in acknowledgement of the challenges that both Federal agencies and cloud security providers currently face.”
“The guidance will encourage efficiency and streamline the implementation process for the much-needed cloud solutions of today – safely, securely, and promptly,” said Conrad, who now serves as Zscaler’s director of global compliance, authorizing authority liaison.
“It is crucial that agencies take the steps to update their policies to align with this guidance’s requirements within the 180-day deadline,” Conrad added. “By aligning agency policies with FedRAMP’s modernization guidance requirements, agencies will be able to effectively accelerate in secure cloud adoption and meet their missions safely and securely.”
The Alliance for Digital Innovation also voiced its support for the new memo, saying, “This reauthorization of the FedRAMP program by OMB recognizes the need for the program to keep pace with the evolving nature of the commercial cloud marketplace in order to meet agency requirements. ADI is pleased that OMB highlights the need to dramatically scale the FedRAMP marketplace and increase the speed of implementing cloud services.”
