As the White House’s Office of Management and Budget (OMB) works to modernize the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP), top officials from OMB this week previewed coming changes for the program.
The FedRAMP program is run by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
OMB proposed new guidance in October to overhaul FedRAMP, which would replace the existing policy created for the program when it began in 2011. However, OMB officials said that the finalized guidance won’t be coming anytime soon.
“I know everybody wants to know when the guidance will come out, we’re going to make sure we get it out at the most impactful time – more so we get it right,” said Drew Myklegard, deputy Federal CIO at OMB. “If we went the past 10 years with one memo, certainly we don’t want to wait that long for new guidance, but we know it’ll be longer than we probably want to wait.”
Myklegard noted that OMB extended the comment period for the draft guidance for about another month to Dec. 22, 2023, and the agency was “excited” about the number of comments it received.
“We’re still working through those,” he said. “It was a phenomenal response. The comments made us really focus on key areas – we’re adjudicating those comments now, and so, we obviously can’t share that pre-delivery information.”
Laura Gerhardt, policy analyst at OMB, said she is part of the team that reads those comments, which she said are actively shaping the updated guidance.
“Genuinely, we are looking at them and they are changing how we’re approaching this, so we very much appreciate that,” Gerhardt said. “It’s so helpful to understand where we may not have been clear, where there may be a definition of a term we’ve used that we weren’t aware of.”
The updated guidance aims to significantly scale the size and the scope of the FedRAMP marketplace, but one area of the guidance that Gerhardt believes will drive the most change for agencies and vendors is automation.
“I’m pretty hyped on the opportunity and the promise of the automation efforts,” she said. “I think one of the things we find and have heard, even from my own experience moving technologies through the authorization process, is there’s a lot of documentation burden.”
“One of the first things that the automation gets you is just reduced burden on that completely,” Gerhardt said, adding, “All the stakeholders in the ecosystem will be able to very quickly validate, ‘Is this complete from a documentation standpoint?’ And when you take out that sort of manual labor and that burden, you can really focus on driving the security outcomes.”
