FedRAMP at a Crossroads: A “Lifetime” 3PAO’s Perspective

Cybersecurity is no longer just a best practice—it’s a necessity, a foundational pillar of our national security. For over a decade, FedRAMP, or the Federal Risk and Authorization Management Program, has set the gold standard for securing the federal government’s cloud infrastructure, saving time, resources, and taxpayer dollars. But today, we stand at a crossroads. The challenges in front of us - bureaucratic roadblocks, inefficiencies, and budget constraints - threaten to unravel years of progress. The question is clear: Will we rise to the occasion, modernizing FedRAMP without sacrificing its integrity? Or will we allow short-term obstacles to drag us backward into an era of duplication, inconsistency, and increased vulnerability? 

As a leading Third-Party Assessment Organization (3PAO) involved with FedRAMP since its inception, Schellman has a unique, firsthand perspective on nearly every phase of the program, and as a result, we believe it's our responsibility to share our insights on the current challenges, risks, and opportunities facing FedRAMP. 

Challenges With FedRAMP Today 

1. Agency Sponsorship

One of the biggest challenges that CSPs face when pursuing FedRAMP is not the hundreds of controls they are required to implement or the costs associated with engineering efforts or the 3PAO assessment, but instead the ability for CSPs to find a Federal agency sponsor. Schellman has many clients with Federal agencies that are committed to using their system, but the agencies do not have the resources, expertise, or desire to sponsor a cloud service offering through the FedRAMP process.  This roadblock needs to change, and a viable path must be put into place that allows CSPs to pursue FedRAMP and achieve authorization without a Federal agency sponsor.     

2. Complexity of Requirements and Work Product

We recognize the amount of work it takes for a CSP to build a 500-page system security plan while also engineering a system to meet FIPS 140-2 requirements.  We understand which NIST 800-53 controls add value to security and where others may be redundant or unnecessary.  While these complexities should be re-evaluated, ideas and plans to automate the manual documentation and review requirements have previously been put forward and subsequently shelved. 

3. Concern Over 3PAO and Assessment Quality

The use of independent third-party assessment providers is not unique to FedRAMP.  The private sector’s leading IT security and compliance standards such as SOC 2, ISO 27001, and PCI all require an independent assessment to demonstrate a system’s security posture.  Why?  Because the consumers demand it—and FedRAMP should be no different.  United States citizens do not just demand, but deserve, to have their data securely protected by the Federal government and the CSPs who choose to support the Federal government’s mission. 

That said, the PMO has noted concerns over the quality of some 3PAO work products, and unfortunately, we have seen this as well.  In other compliance domains, assessors are reviewed, held accountable, and if they lack the quality, then they are disqualified to perform those assessments.   

The Risk of Going Backwards 

First and foremost, the risk to our national security is of the utmost importance.  With the rigor and high bar of FedRAMP, and the FISMA regulation and NIST standards that guide it, we cannot afford to water down security requirements or simply trust that all parties have performed their proper due diligence without third-party validation.  Our adversaries know this and are watching. 

Prior to FedRAMP’s inception, each Federal agency had to independently assess the security of IT systems and cloud services to comply with FISMA regulations.  This process meant that each agency would often perform the same evaluations for the same service providers, leading to duplication of effort and increased costs.  FedRAMP streamlined this process by standardizing the security requirements and allowing a single assessment to be used across multiple agencies.   A recent GSA publication estimated that taxpayers have saved more than $700 million over the lifetime of FedRAMP when compared to the “legacy” FISMA approach of duplicative and siloed Agency assessments and authorizations.  Pushing the assessment requirements and standards back to the Agencies would increase costs to the government and taxpayers by hundreds of millions of dollars. 

Lastly, in today’s world of artificial intelligence and technological advancements, we are seeing breakthroughs in automation that are resulting in significant efficiencies for individuals and organizations.  While FedRAMP should embrace these automation opportunities, the program cannot lose sight of its original mission—promoting the adoption of secure cloud services across the federal government. 

Opportunities and Recommendations for Improvement 

While there are plenty of rumors circulating amongst the FedRAMP community on what the program’s future may hold, we feel it is our duty as a leading 3PAO to share our recommendations and opportunities to partner with FedRAMP. 

1. Lower the Barriers to Entry for Agency Sponsorship

FedRAMP must revisit the requirements necessary for a cloud service offering to be listed on the FedRAMP Marketplace.  Options could include eliminating the sponsorship need all together, similar to what the StateRAMP (now GovRAMP) Approvals Committee authorization process has achieved at the state and local levels.  This simple action would immediately increase the throughput of cloud technology that is available to Federal agencies. 

Additionally, providing an interim or evaluation path for Federal agencies not ready to purchase, but in need of pre-approved solutions, would help provide additional options. 

2. Streamline the Review Process

FedRAMP should rethink the roles and responsibilities of the various stakeholders in the process (e.g., 3PAO, Federal agencies, and PMO) to ensure efforts are not being duplicated across the assessment and authorization review steps.  Simply defining and enforcing ownership responsibilities of the risk identifier, risk acceptor, and quality assurance reviewer would help streamline and speed up the review process and allow Federal agencies to obtain cloud technology through FedRAMP at an accelerated rate.   

While the risk acceptance role must always stay with Federal agencies, FedRAMP should explore opportunities that put both risk identification responsibilities and quality assurance accountability on the 3PAOs performing the assessments.  This would eliminate the need for the current PMO review process, immediately reduce the authorization timeline, and increase the number of cloud services available to the government. 

3. Mandate Quality with Assessments and 3PAOs

The premise is simple, 3PAOs should be held accountable for performing quality assessments and providing value to both CSPs and Federal agencies. If there are shortcomings with the existing 3PAO model, then FedRAMP should work to address the underlying issues versus abandoning the model altogether.  Whether it's an overhaul of the existing A2LA accreditation process or introduction of an AICPA-based peer review process, we must work together to find a commonsense solution.   

Schellman and our 3PAO colleagues would not just welcome constructive criticism from FedRAMP with open arms, but we would be the first to volunteer our time to develop a solution to address the shortcomings.  Some may misconstrue this message to be self-serving, but it is far more than that—the 3PAO community truly believes in FedRAMP’s mission and we work tirelessly to help CSPs and agencies protect Federal data. 

4. Smart Automation & Continuous Monitoring

We are supporters of assessment automation as we believe these capabilities provide an opportunity to significantly reduce friction in the assessment and authorization process.  That said, we need to be smart and develop a strategy for delivering secure cloud services, and then apply the necessary technology, not in reverse.  

FedRAMP improved upon the previous FISMA assessment process by requiring CSPs to show a recurring commitment to the security of Federal data through continuous monitoring.  Monthly requirements and SLAs ensure CSPs are never standing still.   The 3PAO community is eager to partner with FedRAMP when it comes to continuous monitoring and assessment automation, and we have a shared desire to be bold in how we do it, but we must also be practical when it comes to securing our nation’s most sensitive data.  While modern technology is perhaps the greatest asset the security community has in its toolbox, the human element simply cannot be ignored.  As we look at reimagining the FedRAMP assessment process, we have an amazing opportunity to combine independent third-party human intervention with automated security assessment capabilities, and we need to work together to find this balance.    

Strengthening FedRAMP’s Future Together  

The time for passive observation is over. FedRAMP is not just another compliance program, it is a cornerstone of our nation’s cybersecurity framework. If we let it falter, we risk more than inefficiency or wasted dollars; we risk exposing our government and citizens to threats that grow more sophisticated by the day. 

FedRAMP is at a crossroads and we do not have the luxury of standing still. The choice is ours: move forward with innovation and accountability or watch a decade of progress erode. The 3PAO community, the CSPs, and the agencies must stand together, not just to protect FedRAMP, but to strengthen it for the future. The stakes are too high to settle for anything less.