The Office of Management and Budget (OMB) released a Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) on Friday, Oct 27, 2023. FedRAMP was codified in 2022 when Congress passed the FedRAMP Authorization Act (“Act”). The Act established FedRAMP within the General Services Administration (GSA) and created a FedRAMP Board to provide input and recommendations to the Administrator of GSA. FedRAMP has been in place through a Office of Management and Budget (OMB) memorandum in December 2011.
OMB released the DRAFT Memorandum that has a number of highlights. Salient elements of the proposed changes are summarized below from our perspective in having supported over 200 system migrations and ATOs since 2009 when we supported the first Government wide Cloud Authorization To Operate (ATO) in May 2010 for Recovery.gov and then the first Cabinet Agency Cloud ATO in Dec 2010 for Treasury.gov.
SaaS focus: OMB has a specific focus on enabling a bigger software as a service (SaaS) marketplace. It recognizes that an agency might leverage only a few IaaS offerings while using hundreds of different SaaS offerings. This is an extremely welcome development as there are less than 300 FedRAMP authorized SaaS offerings in the marketplace. Whereas the commercial market is estimated to have over 15,000 SaaS offerings.
Threat-driven risk management: Reinforces the need to continually evolve the program to incorporate and focus on the security controls that lead to the greatest reduction of risk by using threat intelligence, threat analysis and threat modeling.
Unblocking JAB Authorizations: The JAB is currently limited to three agencies – DHS, DOD and GSA. Using the proposed joint-agency authorization pathway more agencies can participate to provide authorizations. Also, this move might address some of the reciprocity issues between JAB and non-JAB ATOs. The memo states that existing JAB P-ATOs will automatically transition to joint-agency authorizations.
Enabling Small Business and Small Disadvantaged Business Participation: The combination of the focus on SaaS and providing FedRAMP with more options and processes to find ways to better enable market access for creative and innovative solutions from Small businesses.
FedRAMP PMO Support for Continuous Monitoring to Authorizing Agencies: The robust and strong Continuous Monitoring program is the hallmark of FedRAMP. However, smaller agencies have traditionally shied away from sponsoring FedRAMP ATOs due to the continuous monitoring burden. With the FedRAMP PMO supporting continuous monitoring, the burden on agencies will be reduced and ensure quality & consistency across agency sponsored ATOs.
Automation using DevSecOps: The memo generally refrains from pointing out specific technologies or solutions to avoid being too prescriptive. However, DevSecOps is specifically mentioned to help generate efficiencies through automation and using commercial best practices.
OMB should consider tasking the FedRAMP Board and the Technical Advisory Group (TAG) with specific guidance on continuous innovation and evolution of the program. The memo should specifically mention the need to get ready for assessing and authorizing AI systems. Our ATO for AI governance model applies NIST SP 800-53 controls with AI overlays that map to NIST AI RMF can help agencies rapidly adopt commercial AI solutions. OMB’s acknowledgement and direction to include AI risk management will help accelerate safe and secure adoption.
The team at stackArmor is extremely happy with the process followed by OMB to provide an opportunity for industry comment and feedback. We will continue to provide insightful comments, analysis and recommendations to reduce the cost of FedRAMP ATOs.
