Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The 2023 OMB Draft Memorandum on FedRAMP Explained: The Road to Modernization

FedRAMP | Federal Assessments

On October 27, 2023, the Office of Management and Budget (OMB) released a draft memorandum titled Modernizing the Federal Risk Authorization Management Program (FedRAMP). Savvy readers may have noticed the parallelism of the 2011 and 2023 FedRAMP memorandums to those for FISMA in 2002 and FISMA 2014—for FISMA, the latter memo focused on "Modernization" in comparison with the former one regarding "Management."

Such is the case for FedRAMP as well, as this latest draft memorandum also concentrates on recognizing FedRAMP's impacts to date and the need to modernize and mature it from its 2011 inception so that the program continues to serve as the bridge between the federal government and commercial technology providers, particularly in the context of the FedRAMP Authorization Act which was passed by Congress in December 2022.

While we cannot wait to dive more deeply into some of these areas in future articles, we’re now going to detail seven (7) takeaways and common themes we observed from this draft memorandum.

Key Takeaways from the 2023 OMB Draft Memorandum on FedRAMP

1. The program structure will include a new FedRAMP Board while the existing FedRAMP Project Management Office (PMO) has been redefined.

According to the latest draft guidance, the current Joint Authorization Board (JAB) will be replaced with the FedRAMP Board—despite this development, the FedRAMP Board should not be confused with the Federal Secure Cloud Advisory Committee (FSCAC), which was established to provide recommendations to the GSA Administrator—and now, the FedRAMP Board—regarding the adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services (more on FSCAC here).

Upon finalization of the guidance, the new FedRAMP Board will:

  • Be responsible for defining requirements and guidelines for FedRAMP and related authorization processes
  • Help determine any prioritization for assessments of cloud service offerings, and
  • Oversee agency-specific validation processes that determine whether an authorization is granted.
  • Not participate in the authorization process.

Whereas the FedRAMP PMO, led by a Director, will now:

  • Be responsible for the execution of an authorization process based on the requirements set forth by the FedRAMP Board
  • Work with agency-authorizing officials
  • Make risk management decisions in the authorization process
  • Determine the baseline for acceptable risk for FedRAMP authorizations
  • Support standard continuous monitoring processes
  • Establish and implement automation tools and techniques to support the requirements outlined in the memorandum and the FedRAMP Authorization Act.

2. There is a new, significant focus on increasing the agility and flexibility of FedRAMP.

In clear response to the evolving technology landscape, this focus is underscored by several recurring points in the memo, including:

  • The discouragement of dual/parallel cloud service offerings where the FedRAMP-authorized environment is separate from the commercial deployment that supports the cloud service provider’s (CSP’s) non-federal customer base.
    • In our experience, there’s nuance here that warrants further consideration of a few common scenarios, e.g.:
      • Some CSPs support DoD missions at the IL4/IL5 baselines built upon FedRAMP Moderate and High where DoD has related data segregation and cloud deployment model requirements.
      • In other cases, the FedRAMP requirements are just too stringent and burdensome for a CSP's typical commercial customer, so the CSP creates multiple offerings that are workload- or customer-specific.
  • The suggestion to require advance notice to government officials for any security-impacting changes to cloud service offerings (CSOs), which differs from the current approach that requires explicit government approval of such changes before their implementation—something that will greatly impact the burden of the significant change request (SCR) process.
  • The reduction of the barrier of entry for CSPs who may struggle with identifying an agency sponsor, determining a need for their cloud services, and other challenges regarding accessing a Federal customer base (expounded upon below). 

3. The FedRAMP Authorization types have been updated.

Historically, FedRAMP authorizations have occurred in two ways:

  • JAB P-ATO (provisional authority to operate); or
  • FedRAMP authorization based upon at least one agency ATO.

However, the memorandum outlines the following expanded authorization types, as well as other paths forward:

FedRAMP Authorization Types:

  • Single-agency authorization: Similar to current, non-JAB FedRAMP authorization
  • Joint-agency authorization: Replaces the current JAB P-ATO and requires at least two (2) agencies to jointly authorize an offering
  • Program authorization: Entirely new and does not require an agency authorization—could also be a possible authorization path for a CSP who cannot find an agency sponsor but is committed to moving forward to authorization. (Those familiar with StateRAMP may note similarities between FedRAMP Program authorization and the StateRAMP Approvals Committee.)

* The memorandum also allows any other authorization type to be designed by the PMO and approved by the Board.

Other Paths to FedRAMP Authorization:

 

(formal FedRAMP status but not a full authorization):

  • FedRAMP Ready: Remains unchanged per the memorandum
  • Preliminary authorization: Entirely new and would allow CSPs to coordinate with agencies to pilot offerings, promote technology, and court agencies prior to the CSP pursuing full authorization for the CSO
    • Includes stipulations for limited use of the offering and length of time the preliminary authorization can remain active (12 months)

Notably, the FedRAMP Director is tasked with determining acceptable risk for a FedRAMP authorization, which may differ when compared to the acceptable risk identified by an agency for an agency authorization.

4. There will be a bigger push for automation going forward.

FedRAMP doubling, tripling, and quadrupling down on automation the way it appears to be will mean OSCAL-based deliverables, of course, but there will also be a focus on automation beyond OSCAL.

FedRAMP has long aimed to increase efficiencies of reviews and reduce its overall documentation burden by moving toward delivery and processing of assessment and continuous monitoring artifacts and deliverables in machine-readable format (primarily OSCAL)—while the latest memorandum continues to support that, it also notably expands automation to other areas, including automated management of shared and inheritable controls in an authorization package to streamline authorizations on common platforms and infrastructures that also hold FedRAMP authorizations.

5. Other external frameworks are no longer taboo in tandem with FedRAMP.

Historically speaking, there’s been a quiet understanding of FedRAMP as the framework that "doesn't play well with others" but the latest memorandum charges FedRAMP with establishing “standards for accepting external cloud security frameworks and certifications … to include leveraging external security control assessments and evaluations in lieu of newly performed assessments, as well as designating certifications that can serve as a full FedRAMP authorization, especially for lower-risk products and services.”

This will undoubtedly be a significant undertaking considering that one of the primary reasons that FedRAMP exists is because it filled a gap not met by other frameworks, accreditations, or certifications.

That being said, while there’s certainly merit to the idea of accepting other frameworks or allowing CSPs to build off related framework achievements when "leveling up" to FedRAMP, there will also be many impactful scope and applicability considerations that will need to be solved.

6. Products that must obtain a FedRAMP authorization, as well as those that are exempt, have been clearly defined.

Products and Services That Must Obtain a FedRAMP Authorization

Products and Services That Do Not Need a FedRAMP Authorization

The following applies to systems processing unclassified information that are not national security systems:

  • "(1) commercially offered cloud products and services (such as Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service) that host information systems that are operated by an agency, or on behalf of an agency by a contractor or other organization; and
  • (2) cross-Government shared services operated by an agency, or by a contractor of an agency or another organization on behalf of an agency."

The following are considered out of scope:

  • "(1) cloud-based services that do not host information systems operated by an agency or contractor of an agency or another organization on behalf of an agency;
  • (2) services that are offered by a Federal agency but are not a cross-Government shared service."

 

 7. The milestones and timelines for FedRAMP's modernization are ambitious and fast-approaching.

A few are highlighted below:

  • December 23, 2023 – The deadline for the U.S. General Services Administration (GSA) to establish a means to automate FedRAMP assessment reviews through artifacts and deliverables in machine-readable format powered by APIs that support self-service.
  • Within 90 days – GSA must submit staffing plans, budget information, timeline, and related strategy for the implementation of requirements in the memorandum for all future activities and FedRAMP Program actions, as well as for bringing any pending or legacy (existing) initiatives into compliance.
  • Within 12 months – GSA must produce a FedRAMP Board-approved plan to encourage federal agencies' use of and authorization of commercial cloud service offerings (rather than a dual offering developed specifically for federal agency use).
  • Within 18 months – The deadline for FedRAMP authorization and continuous monitoring artifacts and deliverables to be received/submitted exclusively through automated, machine-readable methods.

Keeping Pace with an Evolving FedRAMP

Though we’ve picked out these seven points as some of the more major developments for FedRAMP and those in pursuit of authorization, there are many more details included in the memorandum that should be noted as well—we encourage a full read (or three full reads!) to realize the full impacts of the modernization goals and actions. And of course, we should all be mindful that this memorandum is in draft status and may undergo modification before finalization.

In the meantime, OMB will be accepting public comment on the memorandum until November 27, 2023, via the Federal Register, at which point we will likely get an even clearer picture of the future of the program. Should you have any questions in the interim, please reach out to our experts who are monitoring the progress closely and are ready to alleviate any concerns you may have.

About Marci Womack

Marci Womack is a Managing Director in Schellman’s Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Marci also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman in 2016 as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds many key certifications, including CISSP, CISA, and CEH. Marci is also experienced in other frameworks, including StateRAMP, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).