It has been a decade-plus since the Office of Management and Budget introduced FedRAMP (Federal Risk and Authorization Management Program) to support the government’s adoption of secure cloud services. In fact, FedRAMP just hit its 300th ATO!
Over the course of its existence, “obtaining FedRAMP authorization has become a key step for cloud service providers doing business with the U.S. government,” as Susan Cassidy, Moriah Daugherty and Ashden Fein write for National Defense Magazine. With the program marking this milestone, we take a look at its new chapter.
ICYMI: The FedRAMP Authorization Act Codified FedRAMP
At the tail-end of 2022, stackArmor covered the major news that President Biden signed the James M. Inhofe National Defense Authorization Act into law for the 2023 fiscal year (read our detailed post here). As a quick refresher, the Act, also known as NDAA, included an important FedRAMP component – the FedRAMP Authorization Act. The FedRAMP Authorization Act officially codifies FedRAMP alongside changes to the program that aim to enhance and expand its impact.
One of the most noteworthy parts of the FedRAMP Authorization Act was that it codified FedRAMP within the General Services Administration (GSA). GSA is now required to oversee the development of processes that streamline agency review and authorization of cloud services and “assess the provenance of the software in cloud services and products.” Additionally, it calls for the creation of a FedRAMP board and advisory committee consisting of agency officials and experts in cybersecurity, risk management, etc.
Speaking on the passing of the FedRAMP Authorization Act, Chairman of the Senate Homeland Security and Governmental Affairs Committee Sen. Gary Peters told FedScoop, “By helping federal agencies quickly and securely adopt cloud-based systems, this program will also create good-paying jobs, and incentivize cloud companies to create more effective products.”
What’s Next for FedRAMP?
NDAA and its inclusion of the FedRAMP Authorization Act clearly indicated that FedRAMP will continue to play a critical role moving forward, especially as more departments and agencies double down on their cloud integration. For instance, Billy Mitchell at FedScoop recently reported that the Department of Agriculture “is considering a new centralized procurement to drive cloud adoption across the department.” With an agreement called STRATUS, the department’s goal is to expand software-as-a-service and cloud infrastructure initiatives.
While addressing an audience at an event hosted by NextGov, Thomas Santucci, director of the Data Center & Cloud Optimization Initiative program management office at the General Services Administration (GSA), also pointed out that FedRAMP can and will serve as an important tool for agencies incorporating zero trust security frameworks. But as the program grows its reach, leaders hope to “open the aperture,” as reported by GCN.
Moving into FedRAMP’s next phase, Brian Conrad, acting FedRAMP director and program manager for cybersecurity at the General Services Administration, has stated that the challenge will be to make program certification more accessible for smaller businesses while upholding strict cybersecurity standards. Earlier this month, Acting National Cyber Director Kemba Walden touched on the need to make the FedRAMP process more efficient as well while speaking at an Atlantic Council event.
Comments such as these indicate that the future of FedRAMP will likely be defined by its pursuit of wider participation. This is a point that we already saw and made when publishing our previous post on the topic. As we wrote then and still expect – Given the significant industry investment in the FedRAMP program, there is going to be continued focus on removing sponsorship bottlenecks and driving down compliance costs specially to enable small business participation. Large CSPs should consider formalizing programs that enable Small Business participation to allow for the development and delivery of innovative FedRAMP accredited SaaS solutions.
To learn more about FedRAMP’s journey, take a look back at our series of blogs on the evolving landscape of secure commercial cloud computing enabled by the FedRAMP program.
- “2023 NDAA Makes Notable Changes to FedRAMP Program” – Susan Cassidy, Moriah Daugherty and Ashden Fein, National Defense Magazine
- “FedRAMP reform measures enacted as Biden signs NDAA into law” – Nihal Krishan, FedScoop
- “USDA plots departmentwide cloud move with STRATUS contract” – Billy Mitchell, FedScoop
- “GSA Official: Lean on FedRAMP, CIO Council Guide for Zero Trust” – Jose Rascon, MeriTalk
- “FedRAMP, StateRAMP cultivate small biz providers” – Chris Teale, GCN
- “Walden: FedRAMP Process on Radar With NCS Implementation” – John Curran, MertiTalk