OMB is requesting public comment on a new draft memorandum to strengthen and enhance the Federal Risk and Authorization Management Program (FedRAMP).
Historically, the Federal Government has spent significant resources on physical data centers, missing out on the flexibility, security and performance of commercial cloud infrastructure. In 2011, OMB created FedRAMP to address these issues, and since then FedRAMP has served as a process for evaluating the security of commercial cloud services that helps agencies safely incorporate these products into their work and better focus their resources.
FedRAMP has worked well for that purpose, but the FedRAMP framework was built for a smaller job at a simpler time, and today’s cloud challenges are different. In the last decade, the security environment has become more complex, and the diversity of cloud services has grown dramatically. There are now many thousands of cloud-based services that Federal agencies could use to serve the American people, including tools for enterprise collaboration, product development, and improving an enterprise’s own cybersecurity. While there are currently 318 authorized services in the FedRAMP Marketplace, the tools that agencies need to deliver on their missions are not always included there.
To help FedRAMP adapt to the new cloud environment, today OMB is releasing draft FedRAMP guidance for public comment. The proposed guidance, which would replace previous guidance[1] that established the FedRAMP Program more than 10 years ago, sets out a plan to scale FedRAMP, strengthen its approach to security review, and accelerate the secure adoption of cloud products and services in the Federal Government. Development of the draft guidance is a key milestone in a broader effort to strengthen the FedRAMP program, building on the Administration’s recent efforts in partnering with Congress to pass the FedRAMP Authorization Act in 2022 and establishing the Federal Secure Cloud Advisory Committee. FedRAMP provides significant value to Federal agencies and industry and must keep pace with the evolving cloud marketplace so that agencies can take advantage of the full breadth of cloud-based products and services. This will result in a reduced technology footprint for agencies to manage and more efficient and accessible government services for the American public.
OMB has previously engaged with FedRAMP stakeholders, including the Federal Secure Cloud Advisory Committee (FSCAC), during the development of the draft guidance and looks forward to getting further input from the public comment process.
“In order to design policy that works, it’s critical that we engage stakeholders,” said Clare Martorana, Federal Chief Information Officer. “We are taking a human-centered policy design approach and soliciting input to learn about how government and industry experience the FedRAMP process and how we could evolve the program to increase its use and drive greater impact.”
The proposed guidance would define the scope of cloud products subject to FedRAMP, set requirements for agencies to use FedRAMP-authorized services, outline the responsibilities of the FedRAMP Board and the FedRAMP Program Management Office (PMO), and promote a transparent and consistent process for the issuance of security authorizations for cloud services.
“The draft FedRAMP guidance builds on the Administration’s priorities and principles outlined in Executive Order 14028, Improving the Nation’s Cybersecurity and the President’s National Cybersecurity Strategy,” said Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director for Federal Cybersecurity. “This White House is committed to modernizing and strengthening government’s cybersecurity practices and posture.”
Key areas of the draft guidance address how the FedRAMP Program would:
- Become more responsive to the risk profiles of individual services, as well as evolving risks throughout the cyber environment.
- Increase the quantity of products and services receiving FedRAMP authorizations by bringing agencies together to evaluate the security of cloud offerings and strongly incentivizing reuse of one FedRAMP authorization by multiple agencies.
- Streamline the authorization process by automating appropriate portions of security evaluations, consistent with industry best practices.
- Improve sharing of information with the private sector, including about emerging threats and best practices.
“FedRAMP was created to safeguard the cloud services relied upon by the Federal Government and to enable us to better deliver critical public services,” said Kemba Walden, Acting National Cyber Director. “This Administration has been clear through both Executive Order 14028 and the National Cybersecurity Strategy that the Federal Government must lead the way in improving the nation’s cybersecurity posture. Over the next 30 days, we welcome feedback on how we can improve this vital program and drive better cybersecurity and innovation across the Federal Government.”
OMB is soliciting public comment on the draft guidance until November 27, 2023. To submit a public comment, visit https://www.regulations.gov/document/OMB-2023-0021-0001