Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

What the FedRAMP Authorization Act Means for Organizations

Published 03/10/2023

What the FedRAMP Authorization Act Means for Organizations

Originally published by A-LIGN.

Written by Tony Bai, Federal Practice Lead, A-LIGN.

Since its creation in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has provided a standardized government-wide approach to assessing the security of cloud computing services.

However, due to government agencies’ increased adoption of cloud technologies and a rise in cybersecurity attacks, many organizations and agencies have called for an updated version of FedRAMP to address their mounting cybersecurity concerns.

In late December 2022, the President signed H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023,” into law, which includes the FedRAMP Authorization Act. The official FedRAMP Authorization Act document is nearly 30 pages long and details the proposed changes to the FedRAMP program.

This blog will discuss everything you need to know about the FedRAMP Authorization Act, along with what the changes mean for organizations.

1. The Act Codifies Secure Market Expansion Into Law

The passing of the FedRAMP Authorization Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. By codifying the FedRAMP Authorization Act into law, FedRAMP will now receive Congressional oversight. With this oversight comes better insight into the cost burdens of FedRAMP Authorization for SMBs.

Currently, the FedRAMP Authorization process is quite costly. Organizations that obtain authorization must undergo annual reassessments to retain their authorized status, only furthering the financial strain. The new FedRAMP Authorization Act aims to discover where and how they can alleviate these cost constraints.

In addition to the above changes, the United States Office of Management and Budget and General Services Administration/FedRAMP Project Management Office will be required to produce and submit reports for Congressional review. These reports will document the metrics and performance standards of the FedRAMP program.

2. The Act Allows Agencies to Certify Vendors More Easily

One of the FedRAMP Authorization Act’s most important features focuses on reciprocity. Reciprocity gives Cloud Service Providers (CSPs) the ability to authorize and then re-use their already-certified FedRAMP status across other agencies.

Put simply, this “presumption of adequacy” clause, as it is called in the official documentation, allows FedRAMP-authorized tools to be used by any federal agency without further checks. Formalizing a “presumption of adequacy” for government contractors makes it easier for organizations to certify vendors, opening the door for organizations to get easier access to more cyber-secure services.

3. The Act Establishes a Secure Cloud Advisory Committee

Additionally, the Federal government seeks to provide more transparency and increased dialogue between themselves and industries. The government wants to drive stronger adoption of secure cloud capabilities and reduce legacy information technology.

To achieve this goal, the FedRAMP Authorization Act calls for the creation of a Secure Cloud Advisory Committee.

The committee will consist of 15 members, including five representatives from cloud services companies. Two of the five representatives must come from small cloud vendors. The committee will also contain one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from Federal government agencies would also sit on the committee.

Secure Cloud Advisory Committee members will work alongside the existing FedRAMP Joint Authorization Board to streamline selection and assessment processes. The two groups will uncover solutions to shorten the time to gain the authority to operate (ATO) and to update the framework over time.

What Does the FedRAMP Authorization Act Mean for My Organization?

As of now, there are no immediate changes to make in regard to obtaining FedRAMP Authorization.

But, we do suggest organizations should take advantage of the benefits of the FedRAMP Authorization Act. The Act has made it easier for commercial cloud and software providers to access multiple agencies across the federal marketplace.

This may provide a valuable opportunity to expand your organization’s work in the public sector — a highly profitable industry.

Get Started with FedRAMP Today

The FedRAMP Authorization Act will remove some of the current FedRAMP authorization bottlenecks and will make it easier for agencies to source FedRAMP ATO providers. For organizations who still need to obtain FedRAMP authorization, now is the perfect time to dive in.


About the Author

Mr. Bai is a cybersecurity professional with a range of certifications. As the Federal Practice Lead at A-LIGN, Mr. Bai supports all FedRAMP, FISMA, NIST 800-171 and other NIST-based projects. He is responsible for overseeing all NIST-based engagements and providing security controls advisory and guidance to our clients. Mr. Bai has hands-on experience leading all stages of system security, including requirements definition, auditing, scanning, and mitigation. With over 27 years of information systems experience to include 10 years specializing in cybersecurity. His extensive background includes providing risk assessments of information systems for government agencies and commercial clients. Mr. Bai brings an impressive blend of knowledge of security controls and technical aspects of cybersecurity and IT operations.

Share this content on your favorite social network today!