Office of Management and Budget (OMB) Memo on FedRAMP (OMB-2023-0021)
Date: Nov 1, 2023
As anticipated and in light of the passing of the FedRAMP Authorization Act in 2022, the Office of Management and Budget (OMB) has released a draft FedRAMP overhaul memo to supersede the original FedRAMP Memo from December 8, 2011. The OMB released this draft memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) on Friday, October 27th 2023. This memo is in a 30-day comment period until November 27th, 2023. More information from OMB can be found here.
Links to Memo and Related Information
Summary of the Memo
The current memorandum has minimal direct impact to systems which currently hold FedRAMP authorizations. Most of the associated changes are related to actions the FedRAMP PMO has authority to take, as well as defining who governs the PMO to take action. There are a few notable things that can be assumed from the memo such as the Cybersecurity and Infrastructure Security Agency (CISA) has increased direct involvement in regards to vulnerability and active threat management, change in Continuous Monitoring and the emphasis on automation and DevSecOps. This article will provide an overview of and the key take-aways from the memo.
The direct impact on CSPs will be what the PMO decides to do with their new authority granted in the memorandum. The main areas of change per this memo will be related to:
Types of Authorization
Automation and Efficiency
Continuous Monitoring and DevSecOps
Roles and responsibilities
In order to definitively address the many of the critical directives of this policy and applicable statutes, the memo details the roles and responsibilities of FedRAMP stakeholders including GSA, the FedRAMP Board, the FedRAMP Technical Advisory Group, NIST, DHS, and Federal agencies. Notably, the memo indicates that the OMB will establish a seven member board with members from GSA, DHS, and DOD. OMB will also form a Technical Advisory Group with up to six technical SME’s.
Other Notable Points from the Memo
The memo signals to the industry an encouragement and focus on SaaS providers to participate in the FedRAMP program. OMB will focus on enabling a bigger software as a service (SaaS) marketplace. It recognizes that an agency might leverage only a few IaaS and PaaS offerings while using hundreds of different SaaS offerings. This is a very welcomed development as there are less than 300 FedRAMP authorized SaaS offerings in the marketplace. Whereas the commercial market is estimated to have over 15,000 SaaS offerings.
As part of a technology-forward program optimized for efficiency and consistency, FedRAMP processes should be automated wherever possible. The GSA must establish a means of automating FedRAMP security assessments and reviews by December 23, 2023. This will push the program in the direction of automating control implementation, continuous monitoring, evidence collection and assessment reviews.
FedRAMP Architectural Issues
The memo strongly discourages separate instances for commercial and government environments or applications in the cloud. This may potentially impact planning boundary and related cost implications for CSPs who are in the early stages of planning FedRAMP authorization.
Agency Continuous Monitoring Support
The FedRAMP PMO will now provide a standard level of continuous monitoring support to authorizing agencies. The FedRAMP PMO will analyze and identify the highest-impact controls for ensuring security of FedRAMP products. The PMO will provide recommendations for the supported monitoring levels to the FedRAMP Board for review, feedback, and concurrence. When finalized, FedRAMP PMO will provide the supported monitoring to all agency customers of authorized FedRAMP products and services. Historically, some smaller agencies have been reluctant to sponsor a CSP because of the rigorous continuous monitoring requirements and agency involvement. This assistance from the PMO may enable more CSPs entrance into the Federal marketplace as Agencies will be able to augment their staff.
Major Changes to the JAB Authorization Path
With the proposed changes, all JAB P-ATOs at the time of the issuance of this memorandum will be automatically designated as joint-agency FedRAMP authorizations. A joint-agency authorization, or ATO, is signed by the authorizing officials from two or more federal agencies. It indicates that these agencies have assessed a cloud service’s security posture and deemed it acceptable. In other words, the JAB is no longer limited to the DOD, GSA, and DHS. A group of agencies with similar needs will be able to pool resources and achieve consensus on an acceptable risk posture for use of the cloud product or service.
Wider Inclusion of Small and/or Disadvantaged Business
OMB has requested that FedRAMP further explore the FedRAMP Ready program to help on-ramp additional small or disadvantaged businesses who may provide “novel and important capabilities”, but could face challenges in accessing the Federal marketplace. Similarly, to support a robust marketplace, agencies may in some circumstances require a FedRAMP authorization as a condition of contract award, but only if there are an adequate number of vendors to allow for effective competition, or an exception to legal competition requirements applies.
Implementation and Timeline
The memo outlines the following timeline for implementation:
Within 90 days of the publication of the memo dated October 27th 2023
Within 180 days of the publication of the memo dated October 27th 2023
Within 365 days of the publication of the memo dated October 27th 2023
Within 18 months of the publication of the memo dated October 27th 2023
Earthling Security’s Leadership in the FedRAMP Program
The Earthling Security Team is excited about the evolution and modernization of the FedRAMP initiative. Our team will continue to innovate and address concerns of the industry to be ahead of FedRAMP’s changing requirements in lieu of evolving technologies. As one of the first accredited FedRAMP 3PAOs, Earthling has been observing, commenting and addressing the challenges of cloud security and compliance in an ever-changing industry landscape.