White House releases long-awaited FedRAMP modernization guidance for agencies, cloud service providers
The White House issued final FedRAMP modernization guidance Friday as a response to cloud market changes and agency needs for more diverse mission delivery.
The final guidance, previewed by FedScoop before its official release, aims to reform the cloud security authorization program by increasing focus on several strategic goals, such as enabling FedRAMP to conduct “rigorous reviews” and requiring cloud service providers (CSPs) to quickly mitigate any security architecture weaknesses to protect federal agencies from the most “salient threats.” The Office of Management and Budget began accepting public comments on a draft version of the guidance last fall.
The memo places particular emphasis on a program to establish an automated process for intaking, using and reusing security assessments and reviews to reduce the burden on participants and speed up the implementation process for cloud solutions.
In an interview with FedScoop, Drew Myklegard, the deputy federal chief information officer, and Eric Mill, the General Services Administration’s executive director for cloud strategy, agreed that with the memo, both offices zeroed in on how best to ensure success in agency implementation.
“Us having this clear framework to operate is extremely helpful,” Mill said. The work that’s gone into the guidance shows “how we can go about this with much more confidence, credibility … and ability to execute going into this. I think that’s a blessing to the execution of this memorandum and of just this government’s and this administration’s priorities for FedRAMP.”
Following the release of the guidance, agencies will have 180 days to issue or update agency-wide policy that aligns with the memorandum’s requirements. The policy has to promote the use of cloud computing products and services that meet the program’s security and other risk-based performance requirements as determined by the Office of Management and Budget, GSA and the Cybersecurity and Infrastructure Security Agency.
Additionally, agency policies “should not assume that particular paths or sponsors of FedRAMP authorizations are unacceptable,” in accordance with the presumption of adequacy of program authorizations.
Alongside agencies, the GSA has 180 days to update the program’s “continuous monitoring processes and associated documentation” to reflect the memorandum’s principles, one year to produce a plan that structures FedRAMP to encourage agencies to move away from government-specific cloud infrastructure, 18 months to enable authorization and continuous monitoring through machine-readable and automated means, and 24 months to ensure that governance, risk and compliance and system-inventory tools can “ingest and produce” artifacts using Open Secure Control Assessment Language (OSCAL).
GSA “will explore the use of emerging technologies in various FedRAMP processes, as appropriate,” the guidance also noted.
FedRAMP is required to submit an annual plan to OMB in the second quarters of fiscal years 2025 and 2026, which are approved by the GSA administrator. This must detail program activities, such as staffing plans and budget information for the implementation of guidance requirements.
“Modernizing FedRAMP is a catalyst for governmentwide digital transformation and IT modernization,” Federal CIO Clare Martorana said in a statement to FedScoop. “The enhanced program will accelerate secure cloud adoption, align our tech investments with mission needs, and free up resources for innovation to deliver faster, more efficient digital services to the public.”
In a previous interview, Myklegard said the guidance would reflect practices and improvements that have already taken effect within the program, such as the technical advisory group. These implementation requirements were originally outlined in the draft guidance and inspired “really good feedback” from the public, according to Myklegard.
Part of the feedback included comments about automation, such as adopting OSCAL — a collection of data models built and managed by community engagement and facilitated by NIST — “as a way of doing digital authorizations and … exchanging them between not only [CSPs] but agencies to speed that time.”
Mill acknowledged that automation efforts are not new to the program, including the work that people have done for years, “various memoranda” and how the FedRAMP Authorization Act addresses the topic.
“Doing that requires significant amounts of work and a dedicated ability to run your technical leadership inside the government, with focus over a period of time with multiple people involved,” Mill said. “And that is something that we are making happen here.”
Editor’s Note: This story has been updated to reflect the White House’s public release of the guidance.