Updates to the Cloud Procurement Program focus on new cybersecurity priorities and emerging technology across the federal government.
A new memorandum from the Office of Budget and Management to update the Federal Risk and Authorization Management Program (FedRAMP) addresses new priorities stemming from evolving cybersecurity threats and emerging technologies impacting the cloud market, according to federal officials.
“The OMB guidance is a restructuring of FedRAMP to address the changes that have happened around us over the last 10 years,” Eric Mehl, GSA’s executive director of cloud strategy, said at an event last month. “You have to restructure what you do when the approach you’ve taken isn’t working the same way.”
Specifically, the memo directs GSA to update FedRAMP's ongoing monitoring processes and associated documentation and create more automation for security assessments and reviews.
It also creates new paths to FedRAMP licensing, though how the changes will impact cloud providers remains unclear.
“We’re looking to work with about 20 cloud providers over the course of the year,” Mill said. “That’s really become a mantra for us, to look for places where we can get speed and security at the same time, and there are a lot of places where we can do that.”
A New Era for FedRAMP
The OMB memo follows and enhances a roadmap released by the General Services Administration in March that outlined goals to guide the program around improving the customer experience, positioning the program as a leader in cybersecurity, incorporating more emerging technology, and expanding the FedRAMP market.
The guidance identifies new pathways for FedRAMP program approvals through agency approvals, program authorizations, and alternate pathways that will be approved by the Office of Management and Budget and the National Institute of Standards and Technology. The FedRAMP Program Manager will be responsible for ensuring that agency approvals meet all requirements.
Mill said the agency is in the final stages of hiring a FedRAMP program manager, and overall, GSA has been working to hire more cybersecurity professionals within the FedRAMP program.
“We are working to bring a lot of people into the program with strong backgrounds in technology, data science and machine learning, to build our automation infrastructure and help us get better insights from the security data we collect,” Mill said.
The guidance provides a better understanding of why the federal government needs the software, added Drew Michaelgard, deputy director of federal information technology.
“It’s very difficult to understand from the outside. People don’t realize how much value there is in a program like this,” Michaelgard said. “I think the legislation helps, and the outreach from GSA and the work that almost all agencies are doing to promote FedRAMP helps understand how companies and agencies can take on this challenge and benefit from it.”
Michaelgard also noted that the directives will restructure the FedRAMP Board of Directors by providing increased responsibilities. He said the board will focus on strategy, metrics, and helping to set future roadmaps for the program. The board will also be tasked with creating and updating requirements and guidelines for security certifications for cloud products and services that are NIST-compliant.
“We want software companies to be there and say, ‘I understand the NIST standards, I understand the controls they’re looking for and how to meet them,’ because that’s what moves everything forward,” Michaelgard said.
Next Steps for FedRAMP
The memorandum instructs agencies to update agency-wide policies regarding the FedRAMP program and promote the use of FedRAMP-compliant cloud computing products and services.
GSA will update FedRAMP processes and documentation to reflect the memorandum. GSA will also have one year to create a plan to encourage agencies to move away from government-owned cloud infrastructure with FedRAMP Council approval and input from industry partners.
The memorandum includes a plan for the General Services Administration to automate security assessments and reviews. Within 18 months, the agency is to work to receive FedRAMP artifacts through automated, machine-readable methods.
“Cloud providers need to know the process of creating OSCAL-based digital authorization packages, and agencies need the right tools to accommodate these authorization packages,” a GSA spokesperson said. “Automate.fedramp.gov is a hub for all the documentation that supports cloud providers throughout this process and supports developers of tools that help create and use digital authorization packages. The site is open source, so anyone, including agencies and cloud providers, can provide feedback or open pull requests to improve the contents of the site.”
FedRAMP also said this week it is accepting public comments through Aug. 29 on proposed metrics to measure the overall experience.
“The feedback will be used to focus on and improve the current set of measures that will keep FedRAMP focused on security and customer experience. The metrics are designed to capture the experiences of different customers and partners, as well as FedRAMP’s performance,” a GSA spokesperson told GovCIO Media & Research.
