OMB’s new FedRAMP policy takes aim at the pain points

Nearly 13 years since issuing the first cloud security memo under FedRAMP, the Office of Management and Budget today is out with new and improved approach to authorizing these services.

OMB reviewed hundreds of comments over the last nine months and believes the new policy will address many of the long-standing challenges FedRAMP has faced.

Drew Myklegard, the deputy federal chief information officer at OMB, said the new memo further cements the pivot FedRAMP specifically and agency cloud use, more broadly, have been undergoing over the last few years. When OMB issued the 2011 FedRAMP memo, agencies mostly were buying infrastructure-as-a-service (IaaS) products, but now agencies are investing predominantly in software-as-a-service (SaaS).

“What we learned through that process of public comment, and in those last nine months of building out this program is that we really needed to focus on a couple of areas. One of them was automation. Clarifying, like what were the expectations for our cloud service providers (CSPs), some of the underlying standards with government governance, risk and compliance (GRC) tools and the tooling,” Myklegard said in an interview with Federal News Network. “Another area is when CSPs leverage existing authorizations, not only is there a presumption of adequacy, once we’ve authorized that first product, but also the products that those CSPs are leveraging. So if you’re a software provider, and you use other FedRAMP authorized products, the expectation is the agency should presume that the underlying authorizations with the same rapidity, with the same confidence that they would any other authorization, which sounds kind of a small thing, but it’s really, really important in what we see these CSPs and how they build on SaaS products and leverage them to deliver value.”

The third major change in the memo, Myklegard highlighted, is around clarifying the expectations so agencies understand their role in supporting the FedRAMP process, both through authorizing products and reuse.

FedRAMP’s modernization journey

OMB released a draft FedRAMP memo last October signaling the change to focus on making SaaS products easier. Over the last nine months, OMB and its partners at the General Services Administration analyzed the feedback that led to this final version.

The policy is a major piece to the ongoing effort to modernize the cloud security program.

Since January, GSA has been laying out its plans to implement some of the concepts outlined in the draft memo. In March, the FedRAMP program management office laid out a new roadmap with 4 primary goals, 6 initiatives and 28 near-term priorities.

In May, OMB detailed its plans to replace the Joint Authorization Board (JAB) and set up its new technical advisory board.

And then earlier this month, the program management office kicked of a new agile delivery pilot and published its technical documentation hub to help spur the use of automation for security authorizations.

The push for automation and the presumption of adequacy are among the two specific ways OMB is trying to address long-standing pain points.

The presumption of adequacy is part of the initial goal of “authorize once and use many.”

“FedRAMP should reduce duplicative work for agencies and companies alike, bringing a measure of consistency and coherence to what the federal government requires from cloud providers. To that end, if a given cloud product or service has a FedRAMP authorization at a given FIPS 199 impact level, the act requires that agencies must presume the security assessment documented in the authorization package is adequate for their use in issuing an authorization to operate at or below that FIPS 199 impact level,” the memo states. “This presumption of adequacy applies as long as a FedRAMP authorization is actively maintained by satisfying-ongoing requirements (i.e., continuous monitoring).”

Myklegard said related to, but not in the memo, is an effort to look at third-party frameworks to help with reciprocity. He said SOC 2, Type 2, ISO and HITRUST  may be several of those standards that are under consideration.

“What we see is both external like other governments and other entities using FedRAMP as an authorization in lieu of having to go through a lot of other authorizations. It’s right where the maturity level in the federal government, where we can start leveraging those types of frameworks to get people authorized faster,” he said. “There’s risks that need to be taken into account, but we feel like we understand both the carrots and the sticks of that. Obviously, we understand these controls and the similarities between them. Now, I may need some other controls in addition, but it gives me a good grounding point and a good starting point. ”

Mill added that the third-party framework effort is just getting started and will be more of a 2025 priority.

Future of JAB authorizations

Myklegard said this change is all about building a supply chain of trust.

“We’re pivoting towards agency authorizations, joint authorizations done by a number of forward leaning agencies, and then also program authorizations done by the FedRAMP PMO,” he said. “What we’re doing there is like leveling the playing field by raising the security on all of our authorizations.”

The FedRAMP program authorizations also is how the PMO will address current CSPs with JAB authorizations and those already in the process.

Eric Mill, the executive director for cloud strategy at GSA, said future program authorizations will be CSPs who don’t have an agency sponsor.

“What we are doing right now is making sure that they are a tool at our disposal to help agencies that were prioritized by the JAB before they stopped taking in new cloud providers, and cloud providers who have done lots of work, in some cases, to prepare for what the government’s reasonable expectation that had been set that they would go through that process,” Mill said. “Our commitment to them that we’ve made privately and publicly is that we’re going to get them through the process. For a number that do have an agency sponsor, and what may or may be one or more agencies that will help them through. That is probably going to be the most straightforward way for some of them who have those relationships. For others, we will be using our program authorizations to do that process. We’re going to learn a lot from that. I think that will help us establish what the criteria are, and the strategic approach for how we use them widely.”

Automation is another long-held goal for FedRAMP, going back to 2020 testing and proving out the Open Security Controls Assessment Language (OSCAL).

FedRAMP PMO hiring spree

“GSA must establish a means of automating FedRAMP security assessments and reviews, and agency and CSP reuse of an existing authorization. To ensure that GSA meets that requirement, FedRAMP should receive all artifacts in the authorization process and continuous monitoring process as machine-readable data, through application programming interfaces (APIs), to the extent feasible,” the memo states. “The package exchange APIs should support predictable and self-service integration between services operated by FedRAMP and by CSPs. The FedRAMP PMO, in consultation with the FedRAMP Board, will explore the use of artificial intelligence (AI) in the FedRAMP security assessment review and continuous monitoring processes. FedRAMP will begin by piloting the use of this emerging technology to determine feasibility and utility in an effort to improve security outcomes and scalability.”

Myklegard said he hopes by promoting automation through the policy and the PMO, cloud service providers adopt machine-readable formats for their security packages.

Additionally, Mill said the FedRAMP PMO has been on a hiring spree over the past year, bringing in specific skillsets to help advance the use of automation.

“It is being able to be strategic in the choices that you’re making and how to understand what the community is telling you, how to wrestle through an interesting compatibility or technical problem or having to make an interesting decision about which piece of the standard or the specification that you have to decide whether or not to ignore for now or prioritize later,” Mill said. “These are strategic decisions with implications on how companies are budgeting for what they’re going to implement, the signal the government is sending about what we will be supporting. It requires full time people in place whose job it is to do that and to solve that problem, and that is what we are focused on.”

Over the course of the next several months, OMB and GSA will go on a “road show” to ensure agency CIOs, chief information security officers, agency inspectors general and others understand what’s in the memo and to answer any questions. Myklegard said these meetings will help make it more clear that OMB is giving agencies “top cover” to reuse and trust existing FedRAMP authorizations and to continue to improve the processes.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.