Blog

As more government agencies move sensitive data to the cloud, ensuring security and compliance is of paramount importance. As such, the FedRAMP (Federal Risk and Authorization Management Program) assessment and authorization process is a critical framework to ensure that cloud environments meet federal security standards.

Recent changes to FedRAMP® have sparked conversations about the program’s future, but one fact remains clear: FedRAMP is here to stay. Recognized as a critical program by the General Services Administration (GSA), it plays a key role in ensuring the security of cloud services used by federal agencies. That said, as the program evolves, notable changes are imminent.

Cybersecurity is no longer just a best practice—it’s a necessity, a foundational pillar of our national security. For over a decade, FedRAMP, or the Federal Risk and Authorization Management Program, has set the gold standard for securing the federal government’s cloud infrastructure, saving time, resources, and taxpayer dollars. But today, we stand at a crossroads. The challenges in front of us - bureaucratic roadblocks, inefficiencies, and budget constraints - threaten to unravel years of progress. The question is clear: Will we rise to the occasion, modernizing FedRAMP without sacrificing its integrity? Or will we allow short-term obstacles to drag us backward into an era of duplication, inconsistency, and increased vulnerability?

Given today’s continually evolving threat landscape, strengthening access controls is an essential element and growing priority of any robust security program. As such, it’s no surprise multi-factor authentication (MFA) has become a widely adopted compliance requirement by a significant number of security standards across industries. That said, it can be difficult to understand the intricacies of the MFA regulations for each compliance framework.

Since the beginning of 2024, FedRAMP Revision 5 has mandated that organizations not only perform traditional penetration tests, but also undergo comprehensive red team engagements. This new requirement reflects a broader emphasis on assessing not just technical vulnerabilities, but also the effectiveness of an organization’s overall security posture, including it’s response to sophisticated and realistic threats. Over the past year, we’ve conducted many red team exercises, each tailored to different organizational environments and threat landscapes. These engagements have varied significantly in scope and complexity, offering us a wealth of insights into both our successes and the challenges we’ve faced.

Looking back, December 2023 was a big month for the Department of Defense (DoD). Not only did they release the 32 CFR Part 170 - Cybersecurity Maturity Model Certification (CMMC) Proposed Rule, but they also published a memorandum titled Federal Risk and Authorization Management Program (FedRAMP) Moderate Equivalency for Cloud Service Provider’s (CSP) Cloud Service Offerings (CSOs). The latter, in a huge development, clarified requirements for CSOs that are currently (or will be) storing, processing, or transmitting Covered Defense Information (CDI)—more commonly referred to as Controlled Unclassified Information (CUI)—although there are some nuances that must be understood.

On October 27, 2023, the Office of Management and Budget (OMB) released a draft memorandum titled Modernizing the Federal Risk Authorization Management Program (FedRAMP). Savvy readers may have noticed the parallelism of the 2011 and 2023 FedRAMP memorandums to those for FISMA in 2002 and FISMA 2014—for FISMA, the latter memo focused on "Modernization" in comparison with the former one regarding "Management."

To become FedRAMP authorized, you must pass the initial, rigorous FedRAMP assessment. But in the following years, you’ll also need to complete Annual Assessments performed by a third-party assessment organization (3PAO) if you’re interested in maintaining that compliance.