The Office of Management and Budget (OMB) today released proposed new guidance to modernize the General Services Administration’s (GSA) FedRAMP (Federal Risk and Authorization Management Program) program.

The proposed new guidance, which would replace existing policy created for the program when it began in 2011, is being driven in large part by the evolution of the cloud services market and growth in software as a service (SaaS) cloud-based applications, OMB said.

The proposed OMB guidance features near-term and longer-term deadlines for GSA and Federal agencies that use FedRAMP-approved services. Still on the radar for that deadline work is creating a new FedRAMP board and figuring out staffing and budget implications of the new guidance.

The guidance issued today is required under legislation approved late last year by Congress to codify the FedRAMP program into law and take steps to modernize its operations.

The 11-year-old FedRAMP program is operated by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.

In the proposed guidance memo, OMB explains numerous future requirements, including ones that touch on:

  • Re-use of approved services;
  • Responsibilities of the new FedRAMP board;
  • Reliance on agile principles for the FedRAMP authorization process;
  • Updating security baselines to align with threat-based analysis;
  • Automation requirements;
  • Engagement with industry; and
  • Establishment of additional procedures for preliminary authorizations that would allow agencies to pilot the use of new cloud services that do not yet have FedRAMP authorization.

OMB’s draft memo is out for public comment through Nov. 27.

Modernization Rationale

The proposed new guidance, said OMB Director Shalanda Young in a draft memo dated Oct. 27, keys on an “updated vision, scope, and governance structure for the FedRAMP program that is responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established.”

The memo explains that at the begging of the FedRAMP program 11 years ago, the government was focused on “securely facilitating agencies’ use of commercially available infrastructure as a service (IaaS)— virtualized computing resources that are natively designed to be more scalable and automatable than traditional data center environments.”

“The COVID-19 pandemic only further accelerated the growth of the SaaS market, as shifts in the workplace landscape led more organizations to rely on remote collaboration tools for their workforce and to expand the online services they provide to their customers,” the memo says.

“Because Federal agencies require the ability to use more commercial SaaS products and services to meet their enterprise and public-facing needs, the FedRAMP program must continue to change and evolve,” the memo says.

“While an IaaS provider might offer virtualized computing infrastructure appropriate for general-purpose enterprise uses, SaaS providers typically offer more focused applications,” the memo says. “A large agency might rely on only a few IaaS providers to accommodate its custom applications, but could easily benefit from hundreds of different SaaS tools for various collaboration and mission-specific needs.”

“Beyond the changing cloud marketplace, the Federal Government has learned important cybersecurity lessons over the last decade that should be reflected in its approach to cloud security,” the memo says.  “Keeping a step ahead of adversaries requires the Federal Government to be an early adopter of innovative new approaches to cloud security offered and used by private sector platforms.”

“Federal agencies all have finite resources to dedicate to cybersecurity, and must focus those resources where they matter the most,” the memo says. “The use of commercial cloud services by Federal agencies is itself a major cybersecurity benefit, freeing up resources that would otherwise have to be dedicated to operating and maintaining in-house infrastructure.”

“Similarly, the FedRAMP program must also focus its attention and engagement with industry on the security controls that lead to the greatest reduction of risk to Federal information and agency missions, grounding them in security expertise and real-world threat assessment,” the memo says. “Prescribed compliance procedures can help maintain consistency and basic rigor, but it is important to emphasize that FedRAMP must first and foremost be a security program.”

“To that end, FedRAMP must be an expert program that can analyze and validate the security claims of cloud service providers, while making risk management decisions that will determine the adequacy of a FedRAMP authorization for re-use within the Federal Government,” the memo says. “Strategic changes to the FedRAMP program will ensure that it can enable the Federal Government to safely use the best of the commercial cloud marketplace for years to come.”

Deadlines for Agencies

OMB laid out a series of deadlines to accomplish the FedRAMP modernization effort, including:

  • Within 90 days, OMB will appoint an initial slate of members for the new FedRAMP board being created under terms of the FedRAMP Authorization Act approved by Congress late last year as part of the fiscal year (FY) 2023 National Defense Authorization Act (NDAA).
  • Within 90 days, and up to annually thereafter, GSA will submit a plan to OMB for accomplishing the tasks set forth under the new guidance, including staffing plans and budget information.
  • Within 180 days, Federal agencies must issue or update agency-wide policy that aligns with the requirements of the new guidance. OMB said agency policies “must promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by OMB, in consultation with GSA” and the Cybersecurity and Infrastructure Agency (CISA).
  • Within 180 days, GSA will update FedRAMP’s continuous monitoring processes and associated documentation to “reflect the principles” of the new guidance.
  • Within one year, GSA will produce a plan, approved by the FedRAMP Board and developed in consultation with industry and potentially impacted cloud providers, to structure FedRAMP to encourage the transition of Federal agencies away from the use of government-specific cloud infrastructure.
  • GSA will establish “a means for the automation of security assessments and reviews,” by Dec. 23 of this year, and within 18 months will build on that work “so as to receive FedRAMP authorization and continuous monitoring artifacts exclusively through automated, machine-readable means.”

Positive Reaction

Rep. Gerry Connolly, D-Va., ranking member of the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation and the author of the FedRAMP Authorization Act, released the following statement on the Biden administration’s newly updated guidance for the FedRAMP program.

“As the author of the FedRAMP Authorization Act, the catalyst for today’s updated guidance, I am thrilled by the Office of Management and Budget’s (OMB) push to streamline agencies’ adoption and use of secure cloud services,” said Rep. Connolly.

“Today, OMB took the first step toward updating its decade-old guidance for the FedRAMP Program,” he said. “This action implements key provisions of my FedRAMP Authorization Act, including the establishment of the FedRAMP Board, the promotion of automation and engagement with industry to drive down the cost and burden of FedRAMP authorization, and the reinforcement of the presumption of adequacy. Recognizing reciprocity is smart for vendors and smart for agencies. If you are approved at one window of government, that approval should carry with you to others.”

“I applaud OMB for their collaborative efforts with the stakeholder community and I look forward to their continued stewardship of this important law,” the congressman said.

OMB’s proposed new guidance also received positive initial reviews from industry.

“At first glance, this memo demonstrates that OMB and GSA have heard the pain points raised by industry and their agency customers,” said Ross Nodurft, executive director of the Alliance for Digital Innovation.

“This reauthorization of the FedRAMP program by OMB is clearly focused on empowering agencies to leverage commercial cloud products and services,” he said. “ADI is pleased that OMB and GSA are focused on removing some of the legacy barriers to authorization and opening different pathways to achieve an Authority To Operate (ATO), all with the intention of providing Federal agencies with as robust a cloud commercial marketplace as possible. OMB and GSA are stating clearly that they want to provide a secure, risk focused pathway for agencies to modernize their information environments and enable mission owners to leverage the latest innovative commercial technology.”

“Given some of the substantive structure changes, there are many questions to answer for those companies who are in various stages of the authorization process – Joint Authorization Board (JAB) or agency,” Nodurft continued. “It is important to recognize the investments companies are making to partner with Federal customers and ensure that those companies in the authorization process are not penalized with a FedRAMP restructure.”

“Additionally, it will be important to ensure that changes and updates with the program are aligned across the government, to include the Department of Defense,” he said. “We welcome the opportunity to continue engaging with OMB and GSA on the specifics in this memo and are encouraged by the direction articulated in this initial draft.”

Leigh Palmer, VP of Tech Strategy and Delivery at Google Public Sector, said, “We applaud the OMB for taking a more forward-thinking approach to government agencies leveraging cloud technologies. The shift from physical to logical separation of government data is aligned with Zero Trust principles and will offer the government the innovation and rapid feature development of a true commercial cloud.”

“At Google Public Sector, this has been our approach since day one,” Palmer said. “We certify our entire U.S. Google Cloud infrastructure, a radically different approach to legacy, fortress-like cloud security models.”

Speed and Scale

OMB explained that it wants the FedRAMP program to scale up faster, employ automation technologies in that effort, and offer multiple authorization structures.

“FedRAMP has provided significant value to date, but the program must change to meet the needs of Federal agencies and address the scope of the cloud marketplace,” OMB said. “The FedRAMP marketplace must scale dramatically to enable Federal agencies to work with many thousands of different cloud-based services that can accelerate key agency operations while allowing agencies to directly manage a smaller IT footprint.”

On the automation front, OMB said “it is essential that FedRAMP establish an automated process for the intake and use of industry standard security assessments and reviews. Automating the intake and processing of machine-readable security documentation and other relevant artifacts will reduce the burden on program participants and increase the speed of implementing cloud solutions in a timely manner.”

“The FedRAMP program has the challenging task of balancing a variety of risk postures across Federal agencies while creating a baseline for the reliability of FedRAMP authorizations that will support the statutory presumption of their adequacy and lead to their reuse at the appropriate FISMA impact level,” OMB said. “FedRAMP is expected to create and evolve multiple authorization structures, beyond those described in this document.”

Read More About
About
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.
Tags