The Office of Management and Budget took a major step in the revamping of the cloud security program called FedRAMP.
OMB last week officially created the replacement for the Joint Authorization Board (JAB), called the FedRAMP Board. The new board will provide executive oversight and governance of the program.
An OMB spokesperson says the board, which is made up of seven people, including legislatively-mandated representatives from the General Services Administration, and the departments of Defense and Homeland Security, also includes representatives from the Department of Veterans Affairs (VA), the Department of the Air Force, the Cybersecurity and Infrastructure Agency (CISA) and the Federal Deposit Insurance Corporation (FDIC). Experts from GSA, DoD and DHS made up the JAB from the start.
“One of our key priorities in selecting members of the FedRAMP Board is to strike the right balance between retaining experience and institutional knowledge from agencies that were part of the Joint Authorization Board (JAB) while also including diverse agency viewpoints into the FedRAMP strategic setting process,” said Drew Myklegard, deputy federal chief information officer in OMB, in an email to Federal News Network.
New policy still in draft
OMB initially introduced the idea of the FedRAMP Board as part of its draft policy update released in October. The spokesperson didn’t offer any insight to when the OMB would issue the final memo.
But Federal CIO Clare Martorana said the new memo and related efforts come at a key time for FedRAMP, which is relying on guidance that is more than 10 years old.
“This is a pivotal moment to evolve the FedRAMP Program, aligning it with the dynamic cloud landscape of today and tomorrow,” Martorana said in a statement. “Our schedule included time for an inclusive and collaborative policy design process, where we actively solicited feedback from government agencies, industry, and the general public. By considering diverse perspectives, OMB will help to ensure that our new policy will stand the test of time.”
The Office of Information and Regulatory Affairs in OMB’s Regulations.gov website shows Martorana’s office received 290 comments on the draft guidance.
GSA today also added another piece to the FedRAMP revamp, making changes to the membership and chairperson of the Federal Secure Cloud Advisory Committee (FSCAC), which are effective May 15.
The FSCAC advises FedRAMP on the adoption, use, authorization, monitoring, acquisition and security of cloud computing products and services.
GSA named Larry Hale, GSA’s deputy assistant commissioner in the Office of Information Technology Category Management in the Federal Acquisition Service, the new chairman, and added two new industry members and extended two current committee members.
GSA established the FSCAC, which will hold its next meeting on May 20, in February 2023. Its recommendations complement the FedRAMP Technical Advisory Group, an advisory body of federal technical experts, as well as the FedRAMP Board.
Chairperson, vice chairperson to be named
While OMB sorts through the comments on the draft FedRAMP memo, it went ahead and replaced the JAB with new members.
OMB says the board CIOs, chief information security officers (CISOs) as well as a deputy CIO, whose focus is in engineering, and CISA’s technical director for cybersecurity.
OMB and GSA will each designate a non-voting member to be chairperson and vice chairperson of the board, who will manage its overall agenda.
The spokesperson said one of the board’s first actions will be to approve a charter that will finalize details around terms. In general, all members of the board will serve time-limited terms and are expected to rotate over time. DoD, DHS, and GSA will consistently have representation on the FedRAMP Board, as established by the FedRAMP Authorization Act.
The spokesperson says the board will have similar responsibilities as the JAB such as reviewing and approving FedRAMP policies and requirements. It will oversee the overall health and performance of FedRAMP, and will work within the federal community to expand the authorization capacity of the FedRAMP ecosystem
The board, however, is not expected to participate in the approval of individual authorization packages.
“We are currently planning the inaugural FedRAMP Board meeting. The FedRAMP Roadmap and feedback from the Federal Secure Cloud Advisory Committee (FSCAC) will inform the board’s overall agenda,” the OMB spokesperson said. “The FedRAMP Board’s early priorities will include ensuring a smooth transition from the JAB and its provisional authorizations and any work in progress that directly affects customers, engaging with the federal community to increase the number of FedRAMP authorizations performed by one or more agencies, and working with the FedRAMP program to support updated performance metrics, greater consistency across authorization processes and continuous monitoring, and other FedRAMP roadmap initiatives.”
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.