This is the first of a series of blogs on the evolving landscape of secure commercial cloud computing enabled by the FedRAMP program.
The President signed into law H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023”, which includes the FedRAMP Authorization Act. The FedRAMP Authorization Act codifies the Federal Risk and Authorization Management (FedRAMP) Program, which is a Government-wide initiative that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.
The FedRAMP program is governed by the FedRAMP Program Management Office (PMO) within the General Services Administration (GSA). The FedRAMP Program was established in 2012 through an Office of Management and Budget (OMB) memorandum. The passage of the FedRAMP Authorization Act codifies this program into a law enacted by Congress with formal congressional scrutiny and oversight. This blog provides an overview of significant changes and implications for cloud service providers and agencies related to the FedRAMP program.
The FedRAMP Program in 2023 and Beyond
One of the biggest changes to the FedRAMP program because of the FedRAMP Authorization Act will be Congressional oversight and GAO reports. Expect greater reporting and focus on metrics related to ATO costs, utilization of cloud services by agencies, and continuous improvement through automation. A key aspect of the FedRAMP Authorization Act is the recognition of the cost burdens of FedRAMP ATOs on small businesses and the desire to ensure their participation in the program. Key elements of the FedRAMP Authorization Act are summarized below.
Metrics and Performance Standards: OMB and GSA/FedRAMP PMO will be required to produce and submit reports for Congressional review. Specific elements of reporting include:
(1) Reporting on speed, effectiveness, sharing, reuse, and security of FedRAMP ATOs by GSA/FedRAMP PMO and Agencies.
(2) Establish annual metrics regarding the time and quality of the assessments necessary for completion of FedRAMP authorizations that can be consistently tracked over time.
(3) Data on FedRAMP authorizations.
(4) The average length of time to issue FedRAMP authorizations.
(5) The number of FedRAMP authorizations submitted, issued, and denied.
(6) Reporting on techniques to securely automate FedRAMP processes.
(7) The number and characteristics of authorized cloud service offerings in use at each agency.
(8) A review of FedRAMP measures to ensure the security of data stored or processed by cloud service providers, which may include—
• geolocation restrictions for provided products or services;
• disclosures of foreign elements of supply chains of acquired products or services;
• continued disclosures of ownership of cloud service providers by foreign entities; and
• encryption for data processed, stored, or transmitted by cloud service providers.
Foreign Ownership Reporting by CSPs and 3PAOs: Cloud Service Providers (CSP) and 3PAO’s shall report any change in foreign ownership or control within 48 hours. There is expected to be additional scrutiny and reporting on foreign ownership of CSPs and 3PAOs.
Agency Acceptance of FedRAMP ATOs: The assessment of security controls and materials within the authorization package for a CSP with a FedRAMP ATO shall be presumed adequate for use by an agency. Regardless, this clause does not alter the right of the Agency to seek additional controls or be responsible for risk-based acceptance of FedRAMP accredited commercial cloud services.
Oversight through GAO Reporting: The GAO is directed to provide independent assessment and reporting on critical program, parameters including:
(1) The costs incurred by agencies and cloud service providers relating to the issuance of FedRAMP authorizations.
(2) The extent to which agencies have processes in place to continuously monitor the implementation of cloud computing products and services operating as Federal information systems.
(3) How often and for which categories of products and services agencies use FedRAMP authorizations.
(4) The unique costs and potential burdens incurred by cloud computing companies that are small business concerns.
Federal Secure Cloud Advisory Committee: The FedRAMP Authorization Act mandates the creation of a 15-member committee to provide recommendations and opportunities for engaging a wide cross section of agencies, CSP’s especially small businesses. There will be at least 5 representatives from unique businesses that primarily provide cloud computing services, including at least 2 representatives from a small business concern.
The FedRAMP Crystal ball
The FedRAMP Program is now codified as a law with Congressional oversight, which is likely to spur greater debate and drive agencies to consider FedRAMP accredited commercial cloud services for their modernization and security needs. Given that numerous reports, metrics, and usage data will be produced there is going to be greater emphasis on quantifying cost savings for agencies through reuse of commercial cloud services.
Also, given the significant industry investment in the FedRAMP program, there is going to be continued focus on removing sponsorship bottlenecks and driving down compliance costs specially to enable small business participation. Large CSPs should consider formalizing programs that enable Small Business participation to allow for the development and delivery of innovative FedRAMP accredited SaaS solutions.
Overall, the Act will allow for greater transparency, potential funding, and drive robust debate on using secure commercial cloud services for improving the security and customer experience of government services. Commercial CSPs including Small Businesses will have the ability to evolve the FedRAMP program.
Industry organizations like the Alliance for Digital Innovation (ADI) amongst others will continue to advocate for greater funding to support the FedRAMP program and encourage Agencies to consider secure commercial cloud services for their mission needs.
“The passage of the FedRAMP legislation will kick start a much-needed update to the program. The leadership at the FedRAMP program management office and GSA’s Technology Transformation Service have done a good job of streamlining the program and making it more customer focused with the limited resources that it has available. However, the needs of agencies that are moving to the cloud and the volume of cloud-based services and software are creating a demand that the current FedRAMP program cannot meet given its resources and policy parameters”, said Ross Nodurft, Executive Director, Alliance for Digital Innovation (ADI). ”This legislation enables OMB and GSA to reimagine a FedRAMP process as well as the marketplace that gives agencies access to modern, cloud based services while maintaining a high security standard. Coupled with the additional funding in the FY2023 Omnibus bill, this new authorization language will allow the program to evolve and transform to meet the ever-expanding modernization needs of our agency enterprises.”