The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act has been signed into law as part of the FY23 National Defense Authorization Act (NDAA).
The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. This recognizes the work FedRAMP and its stakeholders have achieved over the last decade.
The FedRAMP team provided technical assistance in the creation of the Act, and has been planning for several months. Here are a few things the Act enables:
- Improving the speed at which new cloud computing products and services can be authorized by implementing automation techniques.
- Continuing to enhance the ability of agencies to effectively evaluate FedRAMP authorized cloud products for reuse.
- Continuing the public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance.
- Providing more robust transparency and dialogue between industry and the federal government to drive stronger adoption of secure cloud capabilities and reduce legacy information technology with the inception of the Federal Secure Cloud Advisory Committee.
In FY22, FedRAMP authorized cloud products were reused more than 4,500 times across the federal government, a 60% increase in reuse from FY21 and a 132% increase from FY20. The FedRAMP community continues to grow and includes 204 participating agencies, 280+ cloud service providers, and 40 recognized third party assessment organizations.
FedRAMP will share additional information on how the Act may impact stakeholders in the near future, including more information on the new Federal Secure Cloud Advisory Committee.