Big Changes to FedRAMP Coming

September 13, 2024

Today, the Office of Management and Budget (OMB) released a much-anticipated update to the FedRAMP program. While much of the new guidance was seen previously in draft form, it is now official. Overall, many of these are significant improvements in the overall FedRAMP program, for both the cloud service providers and the federal customer.

 

You can find this new guidance under OMB M-24-15 here: Modernizing the Federal Risk and Authorization Management Program (FedRAMP) (whitehouse.gov)

 

Here’s some of the highlights from the new guidance: Limiting the scope of FedRAMP – The memo explicitly reduces the scope of applications that must be FedRAMP authorized.

 

Presumption of Adequacy – The memo now formalizes that federal agencies must presume that if a cloud service provider has a FedRAMP authorization at the correct impact level, that that is sufficient.

 

Introducing “Program Authorizations” – The FedRAMP PMO Director now has the authority to sponsor. Given the challenges for most companies to find a Sponsor, this is a radical improvement. The big unknown remains on what criteria the Director will use, so we’ll see.

 

Introducing “Preliminary Authorizations” – This introduces the provisional ATO to the federal civilian space, and allows CSP’s to have a temporary FedRAMP authorization to support product trials for up to a year.

 

Automation and AI – The FedRAMP PMO is moving towards a fully automated process to receive the security documentation, and is looking at AI to help them accelerate the review process.

 

Making change easier – OMB is asking the FedRAMP PMO and other stakeholders to develop a framework that will allow CSP’s to make rapid changes. This is a must if FedRAMP is going to keep up with modern software delivery, and until now was often blocked due to the existing significant change process.

 

We will know more in 180 days – OMB is requiring federal agencies to issue updates to agency-wide policies that aligns with the new guidance. At that point, we should have actionable insight on how these changes will be implemented across the federal government.

 

While this has been in the works for quite some time, it is great to finally see the formal OMB memo to be released. Anything that makes it easier to become FedRAMP authorized while maintaining the appropriate level of cybersecurity is welcomed.

John Allison
Sr. Director of Federal Advisory Services | Optiv + ClearShark
John Allison spent 24 years in the Air Force, doing systems engineering, weapons research, program management, and intelligence analysis. He retired in 2015 and started his civilian career focusing on bringing to market compliant cloud solutions including DoD and FedRAMP offerings for both large companies and small startups. Throughout his career he's been called on as the technical and compliance expert and has a passion for bridging the gap between the Government's need for solutions and innovative non-traditional companies.

About Optiv + ClearSharkTM

Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances.

 

Now part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.