How does codification change the FedRAMP program?
After repeated attempts to pass Congress, President Biden signed the FedRAMP Authorization Act on December 23, 2022, officially codifying the Federal Risk and Authorization Management Program (FedRAMP). As part of the Federal Cloud Computing Strategy, FedRAMP plays a key role in assessing and procuring cloud products in the public sector.
Although it authorized just 20 cloud service offerings in its first four years, the FedRAMP program is quickly gaining momentum. According to Meritalk, the initiative has authorized nearly 300 cloud products that the federal government has reused more than 4,000 times.
However, there’s still plenty of room for improvement. Having celebrated its 12th birthday this past December, the FedRAMP process has finally undergone some fine-tuning.
What is the bill all about? What does it aim to accomplish? And, most importantly, what does this mean for the future of FedRAMP compliance? In this guide, we’ll answer these questions and explore the FedRAMP Authorization Act’s implications.
What is the FedRAMP Authorization Act?
Before diving into the nuances of the bill itself, let’s draw a line between where FedRAMP was and where it may be headed.
As the promise of cloud computing took the world by storm in the early 2000s, nearly every federal agency in the United States was eager to claim their piece of the pie.
However, before a government agency could take advantage of cloud technology, it would first need to ensure that security controls and data processing procedures were up to par. After all, ISVs who work with the federal government are accountable for treasure troves of sensitive and highly confidential information.
To make matters worse, increasingly sophisticated cybercriminals began targeting government data. Whether through state-sponsored attacks or “lone wolf” hackers, federal agency clouds were — and still are — under constant threat.
Before FedRAMP, each government agency had to use a patchwork of varying security requirements for cloud service offerings. This created inefficiencies and vulnerabilities that ultimately made cloud computing more expensive and less secure. Likewise, it hindered the pace of federal cloud adoption.
Thus, the FedRAMP program was born. Since 2011, the initiative has mandated that all federal agencies procure secure cloud solutions that have been vetted through a standardized security assessment and authorization process.
The FedRAMP requirements are designed to ensure that ISVs consistently implement security controls through a system of continuous monitoring and regular testing. The process provides government agencies and ISVs alike the assurance that one of the most rigorous cloud security frameworks has verified their cloud products.
The FedRAMP Authorization Act of 2022
Despite gaining steam over the years, FedRAMP compliance remains a lofty endeavor for any organization. Attempts to streamline the FedRAMP process have largely been unsuccessful.
The U.S. House of Representatives voted on September 29, 2022, to approve legislation designed to codify the FedRAMP program into law. Codification makes the initiative legally binding, which would provide it with more predictable funding moving forward. The bill, known as The FedRAMP Authorization Act, is an updated version of legislation that passed the House in early 2021.
This was the latest in numerous attempts to modernize the decade-old program, and the furthest a bill of this type had ever gotten through Congress. Finally, President Biden signed the bill into law in late December 2022. The legislation aims to improve the FedRAMP authorization process and address many of the concerns held by industry stakeholders, including ISVs and government officials.
Their concerns largely involve the difficulty in acquiring security authorization packages and implementing FedRAMP guidelines. All in all, the act addresses the following issues:
- Complexity: The FedRAMP authorization process isn’t easy. As a highly stringent framework, the initiative requires hundreds of security controls, not to mention continuous monitoring, regular testing and working with a federal agency partner.
- Ensuring cybersecurity: Despite being mandated at the federal level, many agencies continue using cloud products that aren’t FedRAMP compliant, according to the Government Accountability Office. The GAO claims that FedRAMP requirements and guidelines on implementing control activities are not always clear, which hinders the agency’s ability to practice them effectively.
- Shared responsibility: Cloud service offerings are normally delivered using a shared responsibility model, meaning that both the ISV and government agency are responsible for protecting data within the cloud system. Confusion around which controls fall onto either party may lead to vulnerabilities that compromise cloud data and FedRAMP compliance.
- Duplicative efforts: According to FedRAMP itself, duplicative work is one of the most significant challenges facing the program. Unfortunately, the Joint Authorization Board and FedRAMP Program Management Office (PMO) frequently perform redundant reviews. This not only wastes government resources, but also delays the already cumbersome security assessment process.
- Lack of visibility: Vendors and agencies have expressed frustration with their lack of insight into the status of security authorization packages. Currently, vendors don’t have a clear line of sight to see where their applications are in the pipeline or how soon they might become FedRAMP authorized.
How does the bill affect compliance?
The good news is that the FedRAMP Authorization Act isn’t going to reinvent the wheel. It merely aims to make security assessment and continuous monitoring easier for the agencies and ISVs who need to worry about FedRAMP compliance.
According to Rep. Gerald E. Connolly, who introduced the bill, the Act will:
- Reduce duplicated security assessments and break down other barriers to cloud adoption by establishing a “presumption of adequacy” for cloud products that have received FedRAMP certification.
- Streamline cloud computing by requiring agencies to first check the FedRAMP Marketplace. This is a centralized repository of secure cloud solutions that have already achieved FedRAMP authorization.
- Require the General Services Administration (a member of the Joint Authorization Board) to automate its processes. In theory, this will lead to a standardized and faster approach to security assessment and continuous monitoring, thus increasing efficiency for all industry stakeholders.
- Facilitate a consistent dialogue between industry stakeholders for the federal government’s effective, ongoing cloud computing coordination.
- Require that all members of the Joint Authorization Board be technical experts in cloud technology.
Much of the bill’s content involves program practices that are already in place. However, the legislation does make a notable change where compliance is concerned. Now that these demands have become legally enforceable, the General Services Administration will be required to coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) to regularly update a framework for continuous monitoring. Thus, agencies must ensure they have a system of continuous monitoring in place that is coordinated with CISA.
A simple approach to FedRAMP authorization and compliance
Now that the bill has passed President Biden’s desk, two things are certain:
- The legislation won’t lower the bar for attaining a FedRAMP Authority to Operate (ATO).
- FedRAMP compliance is a rigorous journey that isn’t easily ventured alone.
Luckily, ISVs always have the option of leveraging compliance as a service. By working with a compliance partner like Project Hosts, organizations can simplify the FedRAMP process and take the pain out of earning their ATO.
ISVs who connect their cloud applications to our FedRAMP-authorized platform-as-a-service solution — the General Support System (GSS) — automatically have 80% of the load taken off their shoulders. In other words, you implement only the remaining security controls that exist on the software level, Project Hosts handles the rest.
And, if you want a faster track to authorization, Project Hosts can help you every step of the way. With our turnkey services, our experts will engage an assessor, collect evidence of control implementation and run the audit on your behalf.
The normal FedRAMP process can take years and millions of dollars to complete. With compliance as a service, your application can be up and running in a fraction of the time and cost.
Learn more about how Project Hosts can help you manage FedRAMP compliance by contacting our team today.