The cloud security program known as FedRAMP is getting its first major update in more than a decade to better address the shift toward software-as-a-service.
The Office of Management and Budget’s draft memo would transition the Joint Authorization Board (JAB) to a seven-member FedRAMP Board, promote the concept of joint authorizations among agencies in similar sectors like healthcare and take steps that aim to produce a more transparent and straightforward authorization process.
Drew Myklegard, the deputy federal chief information officer, said the updates closely follow the FedRAMP Authorization Act Congress passed and President Joe Biden signed into law in December as part of the 2023 Defense authorization bill.
“We’ve seen a huge increase in the number of products that our businesses need to achieve their mission and what the administration wants. We’re going back and adjusting the FedRAMP program management office to meet the demands of today,” Myklegard said in an exclusive interview with Federal News Network. “At the core, it’s to react to the changing environment. The problem set in the beginning was how do we get major infrastructure providers into the federal government and operating? Right now, we need to solve the problem of how do we get thousands of SaaS and platform-as-a-service (PaaS) providers in? They’re totally different companies; many of them leverage, like big infrastructure-as-a-service (IaaS) providers, but we have to look at them in a totally different risk posture.”
Currently, there are 318 FedRAMP authorized cloud services and another 126 in process or at the ready stage. Out of those 318, 284 are SaaS. And of those 126 in process or at the ready stage, 120 are software-as-a-service.
OMB’s draft memo is out for public comment through Nov. 27 and the General Services Administration is setting up a public engagement forum to elicit further input from the federal community at large.
“What we’re looking for now is our office takes a very open view to feedback. We put a lot of stuff out for feedback, and we really need your responses,” Myklegard said. “The more robust feedback that we get, the better that we can make this. FedRAMP was one of the most important memos that I used when I was at Department of Veterans Affairs.”
OMB launched the Federal Risk Authorization Management Program (FedRAMP) in 2011 as agencies were still in the “cloud first” phase of IT modernization. The goal was simple: Create a repository of cloud security documents that every agency could use to move to these off-premise services more quickly.
FedRAMP has evolved over the past decade, partly based on agency and industry requirements and partly based on concerns that getting through the process took too long and cost too much. The program management office introduced new concepts like FedRAMP tailored and accelerated, new processes like FedRAMP Ready and successfully tested automation using Open Security Controls Assessment Language (OSCAL).
Updates to FedRAMP JAB
OMB’s new guidance is the next major piece to that evolution.
The decision to replace the JAB with a new board made up of seven people, including legislatively-mandated representatives from GSA, and the departments of Defense and Homeland Security, is among the most significant changes.
Myklegard said the new board will do a lot of the same work as the JAB: setting direction, deciding strategy for security and around the needs of agencies.
“We are looking for cross-agency representation. It’s a little bit different from the Technology Modernization Fund (TMF) board, as the TMF is focused on projects and approving those; this is going to be a mixture of the three legislatively mandated agencies, the business lines and the folks who are building software,” he said.
Underneath the new FedRAMP board will be a new technical advisory group.
Myklegard said that will be a separate group made up of security experts in the federal sector.
“The technical advisory group will sit underneath the FedRAMP board and advise those sponsors of different products and be their security subject matter experts,” he said. “Those are going to be like just a larger version of the current group of the JAB. They’re advising the CIOs and CISOs that are working to provide those authorizations around like all the details they need, as well as with ongoing continuous monitoring. Getting the authorization is important, but the long term monitoring of security risks is also just as important.”
OMB promises more transparency
Another proposed change by OMB is the push for more joint authorizations by agencies with similar needs.
Myklegard said the memo will encourage agency CIOs and chief information security officers to work together to get cloud products through the process. OMB also plans to “strongly” incentivize the reuse of FedRAMP authorizations.
“What we’ve seen in the last couple years is a larger number of companies that are SaaS native, and it’s more of a challenge for them to get through the process,” he said. “We are going to add a lot of transparency to the reporting, like people need to know where they stand in the process and what are the expectations? We’re responsible as the federal government for the whole process. At the end of the day, if the business lines can’t get what they need, they’re not going to be able to achieve their mission. Now that it’s been a couple years of challenges, we know how to gather the right controls, we know the areas to focus on with the zero trust architecture and that type of thing. We’re hoping that a lot of those companies are building at the beginning with the security architecture and framework that will enable them to pass through FedRAMP quicker.”
FedRAMP’s increasing reliance on automation also will help accelerate the process.
“In order to design policy that works, it’s critical that we engage stakeholders,” said Clare Martorana, the federal CIO, in a blog post. “We are taking a human-centered policy design approach and soliciting input to learn about how government and industry experience the FedRAMP process and how we could evolve the program to increase its use and drive greater impact.”
Matthew Cornelius, managing director for federal industry at Workday and a former Senate Homeland Security and Governmental Affairs Committee staff member, applauded the expected changes in the memo.
“Ensuring that federal agencies have access to best-in-class, cloud native solutions will help drive critical administration priorities — such as workforce modernization, improved customer service delivery, and stronger cybersecurity efforts to rigorously protect government information,” Cornelius said. “We hope the new guidance will enable agencies to leverage cutting-edge commercial cloud offerings and eliminate legacy, customized and insecure IT solutions.”