Government Contracts Insights
The latest updates and analysis from Morrison Foerster
August 12, 2024 - Cybersecurity & Data Privacy

FedRAMP to the Future

By: Tina D. Reynolds and Sandeep N. Nandivada

DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements

The Federal Risk and Authorization Management Program (FedRAMP), the program for authorization of cloud services for sale to the federal government that has been around since 2011, is getting an upgrade. On July 25, 2024, the Office of Management and Budget (OMB) issued a memorandum titled “Modernizing the Federal Risk and Authorization Management Program” (the “July OMB Memorandum”), which rescinds and replaces the December 8, 2011 OMB Memorandum, “Security Authorization of Information Systems in Cloud Computing Environments.” The July OMB Memorandum provides an updated “vision, scope, and governance structure for FedRAMP” in light of developments in the federal cybersecurity landscape and cloud marketplace, and it sets the stage for significant changes to FedRAMP over the coming months and years.­­­­

One significant impact to cloud service providers (CSPs), including those with new artificial intelligence products and services, will be the changes to the FedRAMP authorization process. As the federal government pivots from government-specific cloud software services to commercial offerings, and as those offerings expand, it will be even more important to authorize additional technologies quickly and efficiently.  

Governance Structure

The General Services Administration (GSA) has long held the lead agency role in administering and operating the FedRAMP Program Management Office (PMO), and that will continue to be case in the updated FedRAMP framework. As part of the FedRAMP update, however, the GSA will also be supported by the FedRAMP Board, which replaces the Joint Authorization Board (JAB) from the original FedRAMP. The FedRAMP Board is a governance body responsible for reviewing and approving FedRAMP policies, and for bringing together federal technology leaders to expand FedRAMP’s capacity for authorizing cloud services. The FedRAMP Board consists of at least one official from each of the GSA, the Department of Homeland Security (DHS), and the Department of Defense (DoD), as well as up to four additional officials from other agencies who are appointed by the OMB in consultation with the GSA. 

The GSA and the FedRAMP Board will also be supported by two advisory bodies:  the Federal Secure Cloud Advisory Committee (FSCAC) and the FedRAMP Technical Advisory Group (TAG). The FSCAC has both government and private-sector members and makes recommendations to the GSA regarding how to make FedRAMP more effective. By contrast, the TAG consists exclusively of federal technology experts who serve as subject matter experts and resources for continuous monitoring, performance risk assessments, and technical reviews of authorization packages.

FedRAMP Authorization Paths

FedRAMP has historically offered CSPs two paths to obtaining FedRAMP authorization to operate (ATO):  (1) authorization through the JAB (“JAB Authorization”) or (2) an individual agency ATO. The JAB Authorization process was intended to streamline the procedure for specific cloud offerings based on the JAB’s pre-vetting of the offering’s security and risk posture. It allowed an agency sponsor to issue an ATO based on its understanding that the JAB has already reviewed and approved the offering for use. In practice, very few CSPs were able to take advantage of this process. The “Agency Authorization” process required an individual agency sponsor to assess the security posture of an offering and then issue an ATO. Additional agencies that wanted to use the offering had to undertake their own reviews prior to issuing an ATO; although, in practice, many agencies relied on the prior agency ATO as a baseline for their review. 

This longstanding authorization framework will now undergo some significant changes:

  • JAB Authorizations will be replaced by Program Authorizations. The JAB Authorization process will no longer exist because the JAB, itself, will no longer exist.  Instead, CSPs can seek “Program Authorizations” for their offerings.  Program Authorizations will be signed by the FedRAMP Director and are intended “to allow the FedRAMP program to enable agencies to use a cloud product or service for which an agency sponsor has not been identified, but for which use by a number of Federal agencies could be reasonably expected should the CSO be authorized.” In other words, Program Authorizations will allow CSPs to have their offerings authorized for use even if there is no particular agency lined up as a customer. This is a potentially significant change, as it could enhance a CSP’s ability to market its offerings government-wide. At the same time, there is a practical question of whether CSPs will invest time and resources in obtaining FedRAMP authorization without at least one agency customer lined up (temporary authorizations, discussed below, could address this concern). According to FedRAMP, in the short term, Program Authorizations will be limited to “CSPs who were either queued or prioritized to work with the Joint Authorization Board (JAB), with a future focus on building out criteria and an approach for opening this path market-wide.”  See The Next Phase of FedRAMP, https://www.fedramp.gov/2024-07-26-the-next-phase-of-fedramp/ (last accessed Aug. 5, 2024). 
  • Agency Authorizations will accommodate multiple agencies.  Although the current Agency Authorization process will remain largely intact, one significant change will be that Agency Authorizations will not be limited to a single sponsoring agency. Rather, “[a]uthorizations can also be conducted jointly by multiple agencies, to enable a cohort of agencies with similar needs to pool resources and achieve consensus on an acceptable risk posture for use of the cloud product or service.” The FedRAMP Board will be responsible for identifying federal agency technology leaders to form such authorization groups. Thus, as with Program Authorizations, Agency Authorizations should allow for greater adoption and use of offerings across the federal government.
  • FedRAMP will consider additional authorization paths.  Although the July OMB Memorandum only identifies Program Authorizations and Agency Authorizations as pathways for FedRAMP authorization, OMB has also indicated that FedRAMP will consider additional authorization methods that promote the availability and adoption of commercial cloud offerings without sacrificing FedRAMP security standards. Whether such alternatives actually materialize is an open question, but the OMB’s openness to new pathways signals a renewed focus on flexibility to align with the rapidly evolving commercial cloud sector.

Additional CSO Designations

Under the current FedRAMP regime, cloud offerings could receive a designation that the offering is “FedRAMP Ready,” “FedRAMP In-Process,” or “FedRAMP Authorized.” The FedRAMP Ready designation means a third-party assessor has attested to a particular cloud offering’s security capabilities, and that that a Readiness Assessment Report has been reviewed and deemed acceptable by the FedRAMP PMO. See FedRAMP Marketplace Designations. It typically means the offering has a high likelihood of achieving a FedRAMP authorization. Id. The FedRAMP In-Process designation indicates a CSP is actively working towards obtaining a FedRAMP authorization for its offering. Id. And, of course, the FedRAMP Authorized designation means the CSP has successfully completed the FedRAMP authorization process for the cloud offering and that the offering is now available for agency use. Id.

One of the primary purposes of the FedRAMP Ready and FedRAMP In-Process designations is to increase agency awareness of cloud offerings that are in the pipeline for FedRAMP authorization, while also bolstering the FedRAMP marketplace with more offerings. In furtherance of this goal, the July OMB Memorandum indicates that the updated FedRAMP process may include the creation of additional designations for offerings that do not yet have full FedRAMP authorization. In particular, FedRAMP will develop procedures for issuing “a time-specific temporary authorization,” which would allow agencies to “pilot” the use of new cloud services before they are FedRAMP Authorized for no longer than 12 months. This temporary authorization would terminate at the end of the 12-month pilot period unless the offering has a FedRAMP In-Process designation.

This temporary authorization process is a potential gamechanger.  First, it likely boosts the value of obtaining a FedRAMP Ready designation because that designation will put agencies on notice of a CSP’s offering and make it more likely that agencies would pursue a temporary authorization to use the offering before it obtains FedRAMP authorization. Second, it is likely to incentivize more CSPs to enter the public sector marketplace because the lead time to work with federal agencies will be reduced significantly. The FedRAMP PMO still needs to provide further guidance on how the pilot program will work, but this will likely be a key area of interest for CSPs.

Automation and Efficiency

The July OMB Memorandum identifies several initiatives aimed at increasing efficiency in the FedRAMP authorization and continuous monitoring processes. One focal point is an emphasis on automation. For example, the updated FedRAMP processes will require submission of all artifacts required for authorization and continuous monitoring in machine-readable format using application programming interfaces, to the extent possible.  Moreover, to promote interoperability, FedRAMP will work with stakeholders, including OMB, the National Institutes of Science and Technology, and the Cybersecurity and Infrastructure Security Agency, to support the submission of security assessment artifacts and continuous monitoring information using Open Secure Control Assessment Language (OSCAL), or any succeeding protocol, as defined by FedRAMP.  FedRAMP will also be exploring the use of artificial intelligence tools as part of the FedRAMP security assessment and continuous monitoring processes. Initial steps will include piloting emerging technologies to determine feasibility and utility.

FedRAMP is also examining ways to drive efficiency in the authorization process through reliance on existing security frameworks. Recognizing that “[p]erforming an additional assessment of each offering every time a product that uses an existing certification goes through the FedRAMP process unnecessarily slows the adoption of such cloud computing products and services by the Federal Government,” the GSA and FedRAMP Board will establish criteria for accepting widely recognized external security frameworks and certifications (e.g., ISO, SOC II) applicable to cloud products and services. FedRAMP will initially target external security frameworks for offerings that are FIPS 199 impact level low, but it may expand to higher impact levels if feasible.

Continuous Monitoring

The FedRAMP update also contemplates changes to the continuous monitoring process. Perhaps most significant is the directive that the FedRAMP PMO revise the continuous monitoring process to “empower CSPs to deploy changes and fixes at their own pace, without requiring advance approval from FedRAMP or an authorizing official for individual changes to existing FedRAMP authorized products and services.” This directive could signal the end of the current significant change process, which requires CSPs to complete the FedRAMP Significant Change Request Form and provide it to the authorizing official for analysis at least 30 days prior to implementing a significant change.

Transition Away from Government-Specific Cloud Infrastructure

Another notable aspect of the FedRAMP update is the desire to “use the same infrastructure relied on by the rest of CSPs’ commercial customer base.” FedRAMP wants to leverage shared infrastructure between the federal government and the private sector because the “Federal Government benefits from the investment, security maintenance, and rapid feature development that commercial cloud providers give to their core products to succeed in the marketplace.” In other words, FedRAMP wants to take advantage of CSP innovations, which may be slower to migrate to federal government-specific versions of offerings. Depending on how this priority is implemented, it could mean many CSPs will no longer need to develop federal government-specific versions of their commercial offerings. This could both expand the universe of offerings available to the government and create financial benefits and efficiencies for CSPs.

Implementation of the July OMB Memorandum

OMB is requiring FedRAMP to submit annual plans in the second quarters of fiscal years 2025 and 2026 detailing planned program activities for implementing the updated FedRAMP framework, including staffing plans and budget information. In addition, OMB has established the following benchmarks:

  • Within 180 days of issuance of the July OMB Memorandum, each agency must issue or update agency-wide policy that aligns with the memorandum’s requirements and promotes the use of cloud computing products and services that feed FedRAMP security requirements.
  • Within 180 days of issuance of the July OMB Memorandum, GSA will update FedRAMP’s continuous monitoring processes and associated documentation.
  • Within one year of the issuance of the July OMB Memorandum, GSA will produce a plan, approved by the FedRAMP Board and developed in consultation with industry, to structure FedRAMP to encourage the transition of federal agencies away from the use of government-specific cloud infrastructure. As part of the plan development process, GSA will explore the use of emerging technologies in various FedRAMP processes, as appropriate.
  • Within 18 months of the issuance of the July OMB Memorandum, GSA will build on existing efforts to receive FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means, to the extent possible.
  • Within 24 months of the issuance of the July OMB Memorandum, agencies shall ensure that agency governance, risk, and compliance and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol, as identified by FedRAMP.

Conclusion

The proposed changes to the FedRAMP authorization process and subsequent implementation have the potential to expedite and simplify the authorization process, which would benefit government agencies and CSPs alike. The current timeline for authorization can average more than a year, discouraging some CSPs from participating. The potential recognition of other standards for federal government purposes would also increase the availability of offerings available for sale to the government. Finally, the federal government’s recognition of the value, and even superiority, of commercial offerings that are not customized specifically for government purposes will bring even more efficiencies to the authorization process.