The Next Phase of FedRAMP
July 26 | 2024
By Zaree Singer
Today, the White House Office of Management and Budget (OMB) released M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)” which establishes FedRAMP’s strategic goals and calls for significant shifts in FedRAMP operations to accelerate agencies’ secure adoption of cloud services. The guidance clearly positions FedRAMP as a security and risk management program, with a focus on significantly scaling the FedRAMP marketplace, and streamlining and automating more of the authorization process.
The updated policy further reinforces the priorities we highlighted in March in FedRAMP’s public roadmap, which has been driving the recent work of the program.
FedRAMP has taken multiple actions to shift its operations, governance, and strategy to align with the updated policy:
-
Establishing new paths to authorization: FedRAMP will be conducting “program authorizations” for some cloud service providers (CSPs) without an agency sponsor. In the short term, this path will be for CSPs who were either queued or prioritized to work with the Joint Authorization Board (JAB), with a future focus on building out criteria and an approach for opening this path market-wide.
-
Creating new governance: The new FedRAMP Board has been established and recently held its first meeting. The Board will play an integral role in shaping FedRAMP’s strategy and policy, and in convening their federal agency peers to expand the FedRAMP authorizing capacity of the federal ecosystem.
-
Increased technical capacity: Through our advisory groups and hiring, we’ve been investing in grounding FedRAMP’s operations and policies in technical expertise. With OMB, we established the FedRAMP Technical Advisory Group, which has been providing feedback on potential FedRAMP guidance, including our upcoming draft guidance pertaining to FIPS 140 validation. On the hiring front, we expect to end FY24 with a significant technical team with an engineering and data science background to support our work in automation, data analysis, and authorization. We are not done hiring yet this year and will have more security-focused roles opening soon.
-
Integrating agile principles into the authorization process: FedRAMP launched an agile delivery pilot, focused on testing a new non-blocking process for reviewing significant changes, with an initial focus on new feature additions to existing cloud service offerings (CSOs). We are accepting applications through the end of the day today, and our goal is to use what we learned from this pilot to eventually replace the current “significant change request” process with an approach that does not require advance approval for each change.
-
Streamlining and automating more of the authorization process: We launched automate.fedramp.gov, which is the home for all documentation that supports CSPs throughout the process of authoring an Open Security Controls Assessment Language (OSCAL)-based digital authorization package, and to support developers of tools that help create digital authorization packages.
We’ll soon be sharing more details about how these changes will impact CSPs with provisional authorizations issued by the former JAB. We also know that many of our customers will have questions about how these shifts impact their experience with FedRAMP, and we’ll be publishing more information on our website to answer customer questions. To submit a question, please fill out this form.
Finally, we’d like to thank everyone who submitted comments on the draft policy memo last year. Though the comments were formally directed at OMB, we also read them all here at FedRAMP, and we’ve taken them seriously as we’ve developed and implemented our roadmap. We’ll continue engaging publicly and working with our customers as we move into FedRAMP’s next decade of delivery.
