FedRAMP Just Got Better – And is Here to Stay
Blog Article Published: 08/15/2023
Originally published by Coalfire.
Written by Tom McAndrew, Chief Executive Officer, Coalfire.
President Biden signed the National Defense Authorization Act (NDAA), taking a giant step forward in securing the federal government’s cloud-first mission. The FedRAMP® (Federal Risk and Authorization Management Program) Authorization Act, outlined in section 5921 of the NDAA, formalizes the cybersecurity certification that cloud service providers must obtain before working with the U.S. government.
- The FedRAMP Authorization Act codifies secure market expansion into law, taking a giant step forward in securing the federal government’s cloud-first mission.
- The law’s most important feature is reciprocity, enabling agencies to certify vendors more easily and access more cyber-secure services.
- The bill mandates the creation of a Secure Cloud Advisory Committee to coordinate with the existing FedRAMP Joint Authorization Board, streamlining selection and assessment processes to shorten the time to Authority to Operate (ATO).
With the inclusion of the FedRAMP Authorization Act in the FY23 National Defense Authorization Act, Congress and President Biden have taken a giant step forward in securing America’s cloud-first mission. From FISMA in 2002 to the Office of Management and Budget's original Federal Risk and Authorization Management Program in 2011, the FedRAMP Authorization Act accelerates secure cloud momentum for government agencies.
The new legislation will stimulate innovation and help secure federal organizations migrating to the cloud. It formulates and adds roles that should lessen today’s program bottlenecks and makes it easier for agencies to source FedRAMP ATO providers.
Reciprocity is the game changer
Though there are gaps to close and best practices to define moving forward, the law’s most important feature changes the game immediately: reciprocity. This means the ability of CSPs to authorize once and then re-use their already-certified ATO with other agencies. By formalizing reciprocity and the concept of “presumption of adequacy,” agencies can more easily certify vendors and access more cyber-secure services.
With this change alone, the core business case for gaining FedRAMP authorization just got a lot better. Now, commercial cloud and software providers have easier access to multiple agencies across the federal marketplace. For smaller and mid-market CSPs, especially those who may have hesitated in the past to invest in FedRAMP, the opportunities to engage the federal market have significantly improved. Given the vagaries of the economy, the federal market is becoming a more sustainable and appealing option for more and more technology providers. In turn, the government's security-first imperative in the FedRAMP Authorization Act will make for a safer, cloud-first country.
Re-use gains momentum
The incidence of re-use has been gaining momentum for years but is now rapidly accelerating. Re-use has increased 132% since 2020, and there’s no end in sight.
Everyone can see where this chart will be heading over the next few years. However, despite all the blue sky, most FedRAMP-authorized CSPs haven’t even begun to take advantage of the opportunities:
- Of the 286 services on the federal marketplace today, a whopping 30% have only 1 authorization (meaning their solution is being used by 1 agency), and 60% have less than 5.
- Only 7% of CSPs really take advantage of the program with 50 or more authorizations, led by Amazon, Akamai, Microsoft, and Cisco/Okta.
Though re-use delivers incremental return, the process has largely been long, hard, and prohibitive. At the very least, the potential for ROSI (Return on Security Investment) is dramatically improved for all parties with the new law.
To keep the positive momentum, the bill mandates the creation of a Secure Cloud Advisory Committee to coordinate with the existing FedRAMP Joint Authorization Board. Members will work to streamline selection and assessment processes to shorten the time to get ATO and to make sure the framework is kept current over time.
Success will be contingent upon a number of factors:
- Pushing ownership and accountability down to the agencies for using FedRAMP-authorized solutions. Far too many agencies do not leverage FedRAMP-authorized solutions today, as reported in past analyses by the U.S. Government Accountability Office. The program needs “teeth” and there eventually may need to be mandates and mechanisms to take away funding from those that fail to comply. Incremental demand from agencies will attract more CSPs into the market and offer more innovative solutions for agencies to leverage.
- Reducing the technical effort, cost, and time for CSPs to meet FedRAMP requirements. It’s daunting for many, but it doesn’t have to be. Preconfigured templates and Infrastructure-as-Code (IaC) exist today that make it so that even people who don’t understand the cloud can leverage cloud technologies. The program must aggressively endorse these templates and IaC to help lower the bar for those still standing on the sidelines.
- Standardizing and automating the ATO process. The FedRAMP PMO’s Open Security Controls Assessment Language (OSCAL) program now streamlines authorization package reviews with a common machine-readable language. This program kickstarts FedRAMP’s ability to apply automated validation, simplifies, and shortens the FedRAMP path for CSPs. It must be embraced and optimized moving forward.
- Finally, the program must be quickly funded. More resources are needed to support the authorization process. The lack of resources within the program office is causing bottlenecks today. These resource constraints must be addressed to increase the time value for CSPs considering the journey.
What time is it?
With the passage of the FedRAMP Authorization Act, it’s time for every Software-as-a-Service (Saas) business to take a fresh look at the growing FedRAMP market. Federal agency spend on cloud services is expected to eclipse $11 billion in 2022, almost doubling the $6.6 billion from just 2 years prior. Early adopters are proving the point every day by leveraging their FedRAMP certifications – for example, SaaS providers Okta and Akamai are seizing every opportunity and have already realized over 50 authorizations.
The federal marketplace is growing, steadily and sustainably. FedRAMP may not be easy, but it has nevertheless become the de facto minimum bar to entry. The government has stepped up to set the pace, and its influence will continue to spread. StateRAMP is following FedRAMP’s lead and will be a new business boon for those with FedRAMP qualifications. Japan and other countries are also building their compliance programs off the American ingenuity that created FedRAMP in the first place, and modernized it.
Financial service companies, who usually set the bar for other sectors, are modeling elements of their requirements on the FedRAMP framework as well. From civilian agencies handling mountains of Controlled Unclassified Information, FedRAMP is a stepping stone for CSPs to handle classified and top-secret information (DoD IL6) and move into the more lucrative Defense Industrial Base (DIB).
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.