Jan 2023 – FedRAMP, StateRAMP and CMMC 2.0 Roundup

There were a number of significant activities in January 2023 related to FedRAMP, StateRAMP and CMMC 2.0 marketplace.

As part of the FedRAMP Authorization Act, The General Services Administration (GSA) issued a call for nominations for the Federal Secure Cloud Advisory Committee (FSCAC). FSCAC is a statutory advisory committee in accordance with the provisions of FACA and nominations expected to be filed by Feb 9, 2023.

Four new Cloud Service Offering (CSO) were FedRAMP Authorized by the FedRAMP PMO in January 2023. These were:

1. MongoDB Atlas for Government received a FedRAMP Moderate P-ATO hosted on AWS GovCloud. The 3PAO for the system assessment was Schellman. The sponsor agency was Health and Human Services (HHS).

2. Armis Federal Edition Security Platform received a FedRAMP Moderate P-ATO hosted on AWS GovCloud. The 3PAO for the system assessment was Schellman. The sponsor agency was Health and Human Services (HHS).

3. Menlo Security received a FedRAMP Moderate P-ATO. The 3PAO for the system assessment was Schellman. The sponsor agency was Department of Energy (DoE).

4. LaunchDarkly DevOps Platform received a FedRAMP Moderate P-ATO. The 3PAO for the system assessment was Schellman. The sponsor agency was Health and Human Services (HHS).

5. Cyware Fusion Platform received a FedRAMP Ready The 3PAO for the system assessment was Schellman.

US Federal Agencies are expected to spend nearly $19B on cloud services by 2024. There are now 294 authorized cloud service providers listed in the marketplace.

The StateRAMP program for commercial cloud services continues to grow in maturity and size. There were two new services authorized in January 2023.

1. Casepoint Government EDiscovery received a StateRAMP Moderate P-ATO hosted on Microsoft Azure Cloud. The 3PAO for the system assessment was Schellman.

2. Appian Platform received a StateRAMP Moderate P-ATO hosted on AWS GovCloud. The 3PAO for the system assessment was Coalfire.

The OMB OIRA published a Notice of Proposed Rulemaking (NPRM), which is likely to shift the implementation of the new CMMC 2.0 cybersecurity program to 2024. The CMMC 2.0 program is a Department of Defense (DoD) cybersecurity framework designed to safeguard sensitive national security information. CMMC 2.0 is applicable to the defense industrial base’s (DIB) and seeks to protect sensitive unclassified information from frequent and increasingly complex cyberattacks.

We hope you find these resources helpful. Please contact us to schedule a free consultation and planning discussion if you are pursuing a CMMC 2.0, FedRAMP, FISMA or StateRAMP ATO Project.