Ready to Grow Your Federal Business? Request a Tech Tuesday Briefing with the Optiv + ClearShark team by contacting us.
FedRAMP's "Program" Possibilities Breadcrumb Home FedRAMP's "Program" Possibilities September 24, 2024 One of the most exciting aspects of the updated guidance on FedRAMP coming from the Office of Management and Budget (OMB) is the authorization for the FedRAMP Director to directly sponsor Cloud Service Providers (CSPs) through the FedRAMP process. This has been labeled “Program” authorizations, and is one of many updates being made to the FedRAMP program. As of writing this, there has been no guidance as to what criteria the FedRAMP Director will use to decide to grant a Program sponsorship. I’ve asked this question to the FedRAMP PMO and hopefully I’ll hear back soon. This excites me the most because it provides CSP’s a path to sponsorship when all other paths are closed to them. What do I mean by that? There is a class of applications that are very useful for the Government customer or to the contractor community that supports the government that are not considered important enough for a federal agency to sponsor. Sponsorship takes time and resources, and federal agencies carefully choose who to sponsor, and generally they will only sponsor one CSP in a market segment. This leaves the FedRAMP ecosystem with one, or possibly only a small handful of companies in what today is a very small FedRAMP marketplace. The real impact to this is that missing from, or nearly non-existent in the FedRAMP Marketplace are applications I’d consider “utilities”. These are applications that make your life easier, and you’d buy if you are a federal agency, but are not so important that you’ll invest the time and resource to sponsor. If another agency was to sponsor them, you’d jump on that bandwagon once they are in the marketplace. My favorite example of these is the Governance, Risk Management, and Compliance (GRC) web services. While GRC tools may have limited value to a federal agency, effective use of them can make a CSP’s life much easier, especially in developing your FedRAMP documentation and automating your continuous monitoring program. However, to use GRC tools this way, they too need to be FedRAMP authorized. This problem is going to get much larger soon. As the Department of Defense (DoD) rolls out their Cybersecurity Maturity Model Certification (CMMC) program across roughly 200,000 companies, the CMMC requirement for external services to be either FedRAMP authorized or to meet FedRAMP equivalency requirements will drive the need for FedRAMP authorization across classes of purely commercial applications with perhaps no federal market. These third-party providers will struggle to find a sponsor, and many will likely abandon their CMMC customers versus going through the FedRAMP equivalency program without a resulting FedRAMP authorization. So, if I could whisper in the ear of the new FedRAMP Director (congratulations on the new gig by the way), I’d ask for them to open the doors to industry and to try as a community to figure out the criteria and process that will be used to grant these Program sponsorships. We all know that the FedRAMP PMO doesn’t have the throughput to support all interested companies, but there should be clear guidance for companies to be competitive for these coveted sponsorships. So, I’m excited about the possibilities behind Program sponsorships. Honestly, my preference would be to do away with the sponsorship program completely, but until that happens, I am glad to see OMB and the PMO lean forward in this aspect. The OMB guidance also allows for other, yet to be defined, paths to sponsorship and I hope to see a future where finding a sponsor isn’t what kills any good company’s path to FedRAMP authorization. By: John Allison Sr. Director of Federal Advisory Services | Optiv + ClearShark John Allison spent 24 years in the Air Force, doing systems engineering, weapons research, program management, and intelligence analysis. He retired in 2015 and started his civilian career focusing on bringing to market compliant cloud solutions including DoD and FedRAMP offerings for both large companies and small startups. Throughout his career he's been called on as the technical and compliance expert and has a passion for bridging the gap between the Government's need for solutions and innovative non-traditional companies. Follow OptivLinkedIn: www.linkedin.com/company/clearsharkFacebook: www.facebook.com/optivincYouTube: www.youtube.com/c/OptivIncBlog: www.optiv.com/explore-optiv-insights/blog About Optiv + ClearSharkTM Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances. Now part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.
About Optiv + ClearSharkTM Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances. Now part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.