M-24-15 Section I. Background¶

Since its establishment in 2011, FedRAMP has operated by partnering with agencies and third-party assessors to identify appropriate cloud computing products and services, and evaluate those products and services against a common baseline of security controls. Agency authorizing officials use this information to make informed, risk-based, and efficient decisions concerning the use of those cloud computing products and services. Since FedRAMP's inception, agencies have reused existing authorizations hundreds of times across over 300 offerings, and the program has provided a consistent gateway for industry to navigate entry and onboarding into the Federal marketplace.

When FedRAMP began, the Federal Government was focused on securely facilitating agencies' use of commercially available infrastructure as a service (IaaS) offerings, which provide virtualized computing resources natively designed to be more scalable and automatable than traditional data center environments. In the years since, the commercial cloud marketplace has grown, especially in the area of software as a service (SaaS), which encompasses cloud- based applications made available over the internet. The COVID-19 pandemic only further accelerated the growth of the SaaS market, as shifts in the workplace landscape led more organizations to rely on remote collaboration tools for their workforce and to expand the online services they provide to their customers.

Because Federal agencies require the ability to use more commercial SaaS products and services to meet their enterprise and public-facing needs, FedRAMP must continue to change and evolve. While an IaaS provider might offer virtualized computing infrastructure appropriate for general-purpose enterprise uses, SaaS providers typically offer focused applications. A large agency might rely on only a few IaaS providers to support its custom applications, but could easily benefit from hundreds of different SaaS tools for various collaboration and mission- specific needs. SaaS providers may also target highly-tailored use cases that are only relevant to specific sectors and may not be useful to every agency, but which can significantly enhance the effectiveness of the agencies with missions in that sector.

Beyond the changing cloud marketplace, the Federal Government has learned important cybersecurity lessons over the last decade that should be reflected in its approach to cloud security. Keeping a step ahead of adversaries requires the Federal Government to be an early adopter of innovative new approaches to cloud security offered and used by private sector platforms. Federal agencies have finite resources to dedicate to cybersecurity, and must focus those resources where they matter the most. The use of commercial cloud services by Federal agencies is itself a major cybersecurity benefit, freeing up resources that would otherwise have to be dedicated to operating and maintaining in-house infrastructure.

Similarly, FedRAMP must also focus its attention and engagement with industry on security controls that lead to the greatest reduction of risk to Federal information and agency missions, grounding them in security expertise and real-world threat assessment. While defined compliance procedures can promote consistency and basic rigor, it is important to emphasize FedRAMP's primary purpose: to assist agencies in selecting and adopting cloud solutions with appropriate safeguards for the security of the information they process. To that end, FedRAMP must be an expert program that can analyze and validate the security claims of Cloud Service Providers (CSPs), while making risk management decisions that will determine the adequacy of a FedRAMP authorization for reuse within the Federal Government.

Strategic changes to the FedRAMP program will ensure that it can enable the Federal Government to safely use the best of the commercial cloud marketplace for years to come.