FedRAMP's "Program" Possibilities

September 13, 2024

One of the most exciting aspects of the updated guidance on FedRAMP coming from the Office of Management and Budget (OMB) is the authorization for the FedRAMP Director to directly sponsor Cloud Service Providers (CSPs) through the FedRAMP process. This has been labeled “Program” authorizations, and is one of many updates being made to the FedRAMP program.

As of writing this, there has been no guidance as to what criteria the FedRAMP Director will use to decide to grant a Program sponsorship. I’ve asked this question to the FedRAMP PMO and hopefully I’ll hear back soon.

This excites me the most because it provides CSP’s a path to sponsorship when all other paths are closed to them. What do I mean by that? There is a class of applications that are very useful for the Government customer or to the contractor community that supports the government that are not considered important enough for a federal agency to sponsor. Sponsorship takes time and resources, and federal agencies carefully choose who to sponsor, and generally they will only sponsor one CSP in a market segment. This leaves the FedRAMP ecosystem with one, or possibly only a small handful of companies in what today is a very small FedRAMP marketplace.

The real impact to this is that missing from, or nearly non-existent in the FedRAMP Marketplace are applications I’d consider “utilities”. These are applications that make your life easier, and you’d buy if you are a federal agency, but are not so important that you’ll invest the time and resource to sponsor. If another agency was to sponsor them, you’d jump on that bandwagon once they are in the marketplace. My favorite example of these is the Governance, Risk Management, and Compliance (GRC) web services. While GRC tools may have limited value to a federal agency, effective use of them can make a CSP’s life much easier, especially in developing your FedRAMP documentation and automating your continuous monitoring program. However, to use GRC tools this way, they too need to be FedRAMP authorized.

This problem is going to get much larger soon. As the Department of Defense (DoD) rolls out their Cybersecurity Maturity Model Certification (CMMC) program across roughly 200,000 companies, the CMMC requirement for external services to be either FedRAMP authorized or to meet FedRAMP equivalency requirements will drive the need for FedRAMP authorization across classes of purely commercial applications with perhaps no federal market. These third-party providers will struggle to find a sponsor, and many will likely abandon their CMMC customers versus going through the FedRAMP equivalency program without a resulting FedRAMP authorization.

So, if I could whisper in the ear of the new FedRAMP Director (congratulations on the new gig by the way), I’d ask for them to open the doors to industry and to try as a community to figure out the criteria and process that will be used to grant these Program sponsorships. We all know that the FedRAMP PMO doesn’t have the throughput to support all interested companies, but there should be clear guidance for companies to be competitive for these coveted sponsorships.

So, I’m excited about the possibilities behind Program sponsorships. Honestly, my preference would be to do away with the sponsorship program completely, but until that happens, I am glad to see OMB and the PMO lean forward in this aspect. The OMB guidance also allows for other, yet to be defined, paths to sponsorship and I hope to see a future where finding a sponsor isn’t what kills any good company’s path to FedRAMP authorization.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog