FedRAMP Gets Security, Automation Overhaul in OMB Memo

The Office of Budget and Management’s new memo updating the Federal Risk and Authorization Management Program (FedRAMP) program addresses new priorities brought on by evolving cybersecurity threats and emerging technology that impact the cloud marketplace, according to federal officials.

“[OMB’s] guidance is a refactoring of FedRAMP to meet the changes that have been happening all around us for the last 10 years,” said Eric Mill, executive director of cloud strategy at GSA, at a recent event last month. “You have to refactor what you’re doing when the approach that you took doesn’t scale in the same way.”

Specifically, the memo directs the General Services Administration to update FedRAMP’s continuous monitoring processes and associated documentation and establish more automation of security assessments and reviews.

It also establishes new paths for FedRAMP authorization, though how the changes impact cloud service providers are still forthcoming.

“We’re looking to work with probably around 20 cloud providers over the year,” said Mill. “This has become a real mantra for us is looking for places where we can get both speed and security at the same time, and there are many places we can do that.”

A New Era for FedRAMP

The OMB memo follows and reinforces GSA’s roadmap it released in March that noted goals to orient the program around improving the customer experience, position the program as a cybersecurity leader, integrate more emerging technology and scale the FedRAMP marketplace.

The guidance outlines new paths for FedRAMP authorization through agency authorizations, program authorizations and alternative pathways that will be approved by OMB and the National Institute of Standards and Technology (NIST). The FedRAMP director will be responsible for ensuring the agency’s authorizations meet all requirements.

Mill said the agency is in the final stages of hiring a FedRAMP director and, as a whole, GSA has worked to hire more cybersecurity professionals within FedRAMP.

“We are bringing in multiple folks to the program with strong technology, data science, machine learning type backgrounds, to both build out our automation infrastructure and help us get better insights from the security data that we collect,” said Mill.

Deputy Federal CIO Drew Myklegard added that the guidance provides a better understanding of why the federal government needs the program.

“It’s a challenging thing to understand from the outside. People don’t understand how much value you get from a program like this,” said Myklegard. “I think the legislation helps, the outreach from GSA and the work that almost all the agencies are doing to promote [FedRAMP] is helping to understand how companies and agencies can run that gauntlet and leverage it.”

Myklegard also noted how the guidance will restructure the FedRAMP board by providing increased responsibilities. He said the board will focus on strategy, metrics and helping with future roadmaps for the program. The board will also be tasked with creating and updating requirements and guidelines for security authorizations of cloud products and services that align with NIST.

“We want the software companies to be there and [say], ‘I understand these NIST standards, I understand the controls that you’re looking at and how to satisfy them’ because that’ll move everything along,” Myklegard said.

FedRAMP Next Steps

The memo tasked agencies with updating agency-wide policies regarding FedRAMP and promote the use of cloud computing services and products that are FedRAMP compliant.

GSA is to update FedRAMP processes and documentation to reflect the memo. GSA will also have one year to create a plan to urge agencies to move away from government-specific cloud infrastructure with the FedRAMP board’s approval and input from industry partners.

The memo includes a plan for GSA to automate security assessments and reviews. Within 18 months the agency must work to receive FedRAMP-related artifacts through automated and machine-readable ways.

“Cloud service providers (CSPs) need to know the process of creating Open Security Controls Assessment Language (OSCAL)-based digital authorization packages, and agencies need the right tools to ingest those authorization packages,” a GSA spokesperson said. “Automate.fedramp.gov is a hub for all documentation that supports CSPs throughout this process and to support developers of tools that help create and use digital authorization packages. The website is open source, so anyone, including agencies and CSPs, can provide feedback or open pull requests to improve the site’s contents.”

FedRAMP this week also said it is accepting public comments until Aug. 29 for proposed metrics to measure the end-to-end experience.

“The feedback will be used to focus and refine the current set of measures that will keep FedRAMP focused on security and customer experience. The metrics are designed to capture the experiences of different customers and partners, as well as FedRAMP’s performance,” a GSA spokesperson told GovCIO Media & Research.