The Federal Risk and Authorization Management Program, or FedRAMP, was intended and implemented in 2011 to minimize cybersecurity risk for federal agencies moving to the cloud. Throughout its existence, FedRAMP’s primary emphasis has been security and protection of federal information and it has assisted in the acceleration of agencies’ adoption of secure cloud solutions. As threats are continually evolving, FedRAMP guidelines are updated to include the necessary safeguards and comprehensive solutions. So far, 2023 has seen two major milestones in FedRAMP’s operation. In January of this year, the Authorization Act was signed into law and on May 30, 2023, the most recent FedRAMP baselines were released. This article will look at both items and examine their impacts on cloud service providers, both now and in the foreseeable future.
FedRAMP is made up of the Joint Authorization Board (JAB) and the Program Management Office (PMO). JAB members include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration. The JAB is FedRAMP’s first-line governance and decision-making body.
This body determined that the Rev. 5 transition strategy would be effective May 30, 2023, and resources have been made available through the FedRAMP website to guide cloud service providers through the process.
The requirements and timeline for CSPs to transition to the FedRAMP Rev. 5 baseline and templates depend on the CSP’s current FedRAMP authorization phase.
Detailed information is provided, including a detailed outline of tasks, methodology for managing risks of inherited controls, testing, and FAQs.
As reported in the Transition Guide, specific tasks required throughout the transition process are as follows:
- Develop schedule
- Update documentation to Rev. 5 templates
- Determine scope of assessment
- Complete security assessment
- Complete plan of action and milestones (POA&M)
FedRAMP’s resources can be accessed via the following links or by visiting https://www.fedramp.gov.
Rev. 5 Baseline Transition Guide: https://www.fedramp.gov/assets/resources/documents/FedRAMP_Baselines_Rev5_Transition_Guide.pdf
Control selection workbook: https://www.fedramp.gov/documents-templates/
FedRAMP 5 test cases: https://www.fedramp.gov/documents-templates/
Given the complexity of the transition to Rev. 5, we recommend reviewing the above documents. Know that Carter Group is postured to provide any additional assistance your organization may need throughout the duration of the transition.
FedRAMP Authorization Act
Prior to the announcement of the Rev. 5 transition strategy, the FedRAMP Authorization Act was signed into law in January of this year, as part of the FY23 National Defense Authorization Act (NDAA) (Section 5921, p. 1055). As a result, the program is now systematized as the standardized, authoritative security assessment and authorization for cloud computing products and services processing unclassified federal information. Here’s what the authorization means going forward:
Because of the numerous usage data, reports, and metrics that will be generated, we can expect a greater emphasis on quantifying cost savings for agencies using cloud services. One focus will be driving down compliance costs that will enable greater small business participation. The Act will provide greater transparency, potential funding, and host ongoing debate on using secure commercial cloud services for improving both security and the customer experience. Commercial CSPs (small businesses included) will have ongoing input in the evolution of the FedRAMP program.
Ross Nodurft, Executive Director, Alliance for Digital Innovation (ADI), has described the legislation this way: “The passage of the FedRAMP legislation will kick start a much-needed update to the program. The leadership at the FedRAMP program management office and GSA’s Technology Transformation Service have done a good job of streamlining the program and making it more customer focused with the limited resources that it has available. However, the needs of agencies that are moving to the cloud and the volume of cloud-based services and software are creating a demand that the current FedRAMP program cannot meet given its resources and policy parameters. This legislation enables OMB and GSA to reimagine a FedRAMP process as well as the marketplace that gives agencies access to modern, cloud-based services while maintaining a high security standard. Coupled with the additional funding in the FY2023 Omnibus bill, this new authorization language will allow the program to evolve and transform to meet the ever-expanding modernization needs of our agency enterprises.”
The FedRAMP team is expecting:
- Improved speed at which new cloud computing products and services can be authorized by implementing automation techniques.
- Continuing to enhance agencies’ ability to effectively evaluate FedRAMP authorized cloud products for reuse.
- Continuance of the public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance.
- More robust transparency and dialogue between industry and the federal government to drive stronger adoption of secure cloud capabilities and reduce legacy information technology with the inception of the Federal Secure Cloud Advisory Committee.
Carter Group uses and follows FedRAMP for all our government clients to ensure the highest quality cloud services. We also help commercial clients achieve FedRAMP compliance in their pursuit of doing business with the federal government. We realize that this year’s changes have significant implications for organizations seeking to achieve compliance. For assistance navigating the Rev. 5 Baselines or to learn more about how the FedRAMP authorization will specifically impact your organization, please contact us!