Office of Management and Budget (OMB) Memo on FedRAMP (OMB-2023-0021)

Office of Management and Budget (OMB) Memo on FedRAMP (OMB-2023-0021)

Date:  Nov 1, 2023

Overview

As anticipated and in light of the passing of the FedRAMP Authorization Act in 2022, the Office of Management and Budget (OMB) has released a draft FedRAMP overhaul memo to supersede  the original FedRAMP Memo from December 8, 2011. The OMB released this draft memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) on Friday, October 27th 2023. This memo is in a 30-day comment period until November 27th, 2023. More information from OMB can be found here.

Links to Memo and Related Information

• https://www.fedramp.gov/2023-10-27-omb-fedramp-memo/
• Office of Management and Budget Releases Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) | OMB | The White House
• FedRAMP Draft Memo – Prepared For Public Comment – 2023 -10 24 (cio.gov)

Summary of the Memo

The current memorandum has minimal direct impact to systems which currently hold FedRAMP authorizations. Most of the associated changes are related to actions the FedRAMP PMO has authority to take, as well as defining who governs the PMO to take action. There are a few notable things that can be assumed from the memo such as the Cybersecurity and Infrastructure Security Agency (CISA) has increased direct involvement in regards to vulnerability and active threat management, change in Continuous Monitoring and the emphasis on automation and DevSecOps. This article will provide an overview of and the key take-aways from the memo. 

The direct impact on CSPs will be what the PMO decides to do with their new authority granted in the memorandum. The main areas of change per this memo will be related to:

1. Types of Authorization 
2. Automation and Efficiency 
3. Continuous Monitoring and DevSecOps 
4. Roles and responsibilities (GSA, FedRAMP Board, Technical Advisory Group, Agencies Department of Commerce
5. Implementation and Timeline

 Types of Authorization 

• FedRAMP will now have multiple types of authorizations:
  • Single Agency Authorization – One Agency AO approves. FedRAMP Director must “ensure that the authorization can reasonably support reuse.”
  • Joint-Agency Authorization – Two or more Agency AO’s approve. Agencies with similar risk tolerance will work together to identify cloud products that they all require. FedRAMP Director must “ensure that the authorization can reasonably support reuse.” JAB P-ATOs will be automatically placed in this category.
  • Program Authorization – FedRAMP Director is the AO. 
  • Other Authorizations – This gives the FedRAMP Director the authority to create additional types of authorizations. 
• GSA will have more discretion in prioritizing FedRAMP authorizations, based on criteria established by the FedRAMP Board and CIO Council.
•  

Automation and Efficiency 

• GSA will create an automated review process for ATO packages. 
• Inherited controls (e.g. AWS, Azure) will be analyzed, and the PMO will determine what controls can be inherited. 
• Automation of Evidence collection. 
• Assessment evidence should be provided in machine-readable format. 
• A list of potential external security compliance frameworks will be created that can be used in lieu of a FedRAMP assessment. 

Continuous Monitoring and DevSecOps 

• CISA will be updating threat baselines. This will likely result in more PMO-directives related to security around alerting, audit logs and baseline configuration changes.
• FedRAMP PMO/Board and CISA must establish a framework for increased system agility and automation. Focus on Agile development process. Less red tape for system changes. Prevent the standard commercial and government cloud for a product, instead marketing the product as a singular system that is FedRAMP authorized (e.g. AWS East/West).
• FedRAMP PMO will issue directives from CISA for vulnerability remediation.
• CSPs will be encouraged to support automation and DevSecOps practices within the cloud ecosystem.
• CSPs will need to provide advance notice of upcoming security-relevant changes to the FedRAMP-authorized cloud product or service without requiring advance approval from the Government.
• Establishes expectations of authorized CSPs regarding incident response procedures, communication, reporting timelines and other processes. 
• Additional incident response (IR) requirements, specifically communication and reporting timelines that will help ensure the Government is protected from potential attacks on cloud-based infrastructure. 

Roles and responsibilities

In order to definitively address the many of the critical directives of this policy and applicable statutes, the memo details the roles and responsibilities of FedRAMP stakeholders including GSA, the FedRAMP Board, the FedRAMP Technical Advisory Group, NIST, DHS, and Federal agencies. Notably, the memo indicates that the OMB will establish a seven member board with members from GSA, DHS, and DOD. OMB will also form a Technical Advisory Group with up to six technical SME’s.

Other Notable Points from the Memo 

SaaS Providers

The memo signals to the industry an encouragement and focus on SaaS providers to participate in the FedRAMP program. OMB will focus on enabling a bigger software as a service (SaaS) marketplace. It recognizes that an agency might leverage only a few IaaS and PaaS offerings while using hundreds of different SaaS offerings. This is a very welcomed development as there are less than 300 FedRAMP authorized SaaS offerings in the marketplace. Whereas the commercial market is estimated to have over 15,000 SaaS offerings.

Automation Everywhere

As part of a technology-forward program optimized for efficiency and consistency, FedRAMP processes should be automated wherever possible. The GSA must establish a means of automating FedRAMP security assessments and reviews by December 23, 2023. This will push the program in the direction of automating control implementation, continuous monitoring, evidence collection and assessment reviews. 

FedRAMP Architectural Issues

The memo strongly discourages separate instances for commercial and government environments or applications in the cloud. This may potentially impact planning boundary and related cost implications for CSPs who are in the early stages of planning FedRAMP authorization. 

Agency Continuous Monitoring Support

The FedRAMP PMO will now provide a standard level of continuous monitoring support to authorizing agencies. The FedRAMP PMO will analyze and identify the highest-impact controls for ensuring security of FedRAMP products. The PMO will provide recommendations for the supported monitoring levels to the FedRAMP Board for review, feedback, and concurrence. When finalized, FedRAMP PMO will provide the supported monitoring to all agency customers of authorized FedRAMP products and services. Historically, some smaller agencies have been reluctant to sponsor a CSP because of the rigorous continuous monitoring requirements and agency involvement. This assistance from the PMO may enable more CSPs entrance into the Federal marketplace as Agencies will be able to augment their staff.

Major Changes to the JAB Authorization Path

With the proposed changes, all JAB P-ATOs at the time of the issuance of this memorandum will be automatically designated as joint-agency FedRAMP authorizations. A joint-agency authorization, or ATO, is signed by the authorizing officials from two or more federal agencies. It indicates that these agencies have assessed a cloud service’s security posture and deemed it acceptable. In other words, the JAB is no longer limited to the DOD, GSA, and DHS. A group of agencies with similar needs will be able to pool resources and achieve consensus on an acceptable risk posture for use of the cloud product or service. 

Wider Inclusion of Small and/or Disadvantaged Business

OMB has requested that FedRAMP further explore the FedRAMP Ready program to help on-ramp additional small or disadvantaged businesses who may provide “novel and important capabilities”, but could face challenges in accessing the Federal marketplace. Similarly, to support a robust marketplace, agencies may in some circumstances require a FedRAMP authorization as a condition of contract award, but only if there are an adequate number of vendors to allow for effective competition, or an exception to legal competition requirements applies.

Implementation and Timeline

The memo outlines the following timeline for implementation:

Within 90 days of the publication of the memo dated October 27th 2023

• OMB will appoint an initial slate of members of the FedRAMP Board. The Board must, once constituted, approve a charter.
• GSA will submit a plan, approved by the GSA Administrator, to OMB, detailing program activities, including staffing plans and budget information, for implementing the requirements in this memorandum. The plan will include a timeline and strategy to bring any pending authorizations or existing FedRAMP initiatives into conformance with the Authorization Act and this memorandum.

Within 180 days of the publication of the memo dated October 27th 2023

• Each agency must issue or update agency-wide policy that aligns with the requirements of this memorandum. This agency policy must promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by OMB, in consultation with GSA and CISA.
• GSA will update FedRAMP’s continuous monitoring processes and associated documentation to reflect the principles in this memorandum.

Within 365 days of the publication of the memo dated October 27th 2023

• GSA will produce a plan, approved by the FedRAMP Board and developed in consultation with industry and potentially impacted cloud providers, to structure FedRAMP to encourage the transition of Federal agencies away from the use of government-specific cloud infrastructure.

Within 18 months of the publication of the memo dated October 27th 2023

• GSA will continue to build on the FedRAMP Authorization Act’s requirement of establishing a means for the automation of security assessments and reviews so as to receive FedRAMP authorization and continuous monitoring artifacts exclusively through automated, machine-readable means.

Earthling Security’s Leadership in the FedRAMP Program 

The Earthling Security Team is excited about the evolution and modernization of the FedRAMP initiative. Our team will continue to innovate and address concerns of the industry to be ahead of FedRAMP’s changing requirements in lieu of evolving technologies. As one of the first accredited FedRAMP 3PAOs, Earthling has been observing, commenting and addressing the challenges of cloud security and compliance in an ever-changing industry landscape.