FedRAMP Signed into Law, So What?

The Federal Risk and Authorization Management Program, better known as FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is the federal government’s solution to ensuring compliance of third-party software and tooling within federal information systems, specifically those deployed in the cloud. By providing a standardized, secure, and flexible approach to leveraging cloud products, the FedRAMP program allows the federal government to take full advantage of the benefits of cloud computing while maintaining the safety and security of their sensitive information. With the signing of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (NDAA) by President Joe Biden in December 2022, FedRAMP is now officially federal law. This begs the question, so what?

The NDAA is a piece of bicameral legislature passed annually by the U.S. Congress that specifies the annual budget and expenditures for the Department of Defense. It determines which agencies are responsible for defense and establishes policies and programs under which funds will be spent. FedRAMP is one of these programs, and previously only existed due to a policy memorandum issued in 2011 by the Office of Management and Budget (OMB). The FedRAMP Authorization Act, which was passed as part of the NDAA, does three main things; it codifies FedRAMP into federal law, establishes the Federal Secure Cloud Advisory Committee, and provides the ability for an agency head to document a presumption of adequacy as reasoning upon authorizing a cloud service.

Codifying FedRAMP into law may seem inconsequential, especially to those who have been abiding by the program’s restrictions since its establishment, regardless of its legal status. However, there are key differences between a policy memorandum and a federal law. Statutes and regulations are the boundaries for the government’s policies, and the government cannot make new laws or create new rights or obligations through policy memos, although a court will give agencies wide deference in setting their policies. Policy memos may also be challenged if they go beyond the scope of the relevant statutes and regulations, either as written or as applied by the government. Laws, on the other hand, are binding and may create new rights or obligations, which is why the FedRAMP Authorization Act can newly establish the Federal Secure Cloud Advisory Committee, for example. Laws may only be challenged in court if they are unconstitutional, either as written or as applied by the government. This is extremely important in guaranteeing the longevity and legitimacy of the FedRAMP program, especially to cloud service providers who have invested a significant amount into their FedRAMP authorized products and services.

The new Federal Secure Cloud Advisory Committee (FSCAC) board was established in order to improve the FedRAMP program and increase the speed at which cloud services and products can be authorized. It will consist of fifteen members, including five representatives from Cloud Service Providers (CSPs). This will greatly increase the transparency of the program and “ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities,” as stated by the General Services Administration (GSA). The committee is set to meet at least three times a year as well and will provide general advice and recommendations to the FedRAMP PMO and the agencies on best practices and secure adoption of cloud products and service offerings. These reforms to the FedRAMP program heavily benefit cloud service providers looking to maximize their return on investment in their federal cloud services by promoting better cooperation amongst all players in the federal space, which will in turn decrease the amount of time and obstacles currently associated with achieving a FedRAMP authorization.

Since its inception, the FedRAMP program has sought to adhere to a policy of “use once, reuse many” when it comes to granting an Authorization to Operate (ATO) to a cloud service or product. Generally, if it is secure enough for one agency in the federal government to use, it should be secure enough for all of them. With the inclusion of the presumption of adequacy provision in the FedRAMP Authorization Act, this pillar of the FedRAMP program is now law as well. While agency heads do still have a responsibility to ensure that all cloud computing products and services, they employ for agency use satisfy any relevant security controls, it is now even easier for them to issue an authorization to any cloud service/product that already possesses an ATO. This will lead to even greater opportunities for cloud service providers to contract with the federal government and realize profits sooner.

Over the past three years, there has been a significant increase in the number of cloud service providers receiving FedRAMP Authorizations to Operate (ATOs). This trend is driven in part by the growing demand for cloud-based services in both the public and private sectors, as well as the increasing recognition of FedRAMP as a key standard for cloud security and compliance. The acceleration of cloud services adoption spans across a wide range of industries, further fueling the demand for FedRAMP-compliant solutions. As a result, many cloud service providers have invested in achieving FedRAMP compliance, with a growing number of companies achieving ATOs in recent years. This trend is expected to continue in the coming years, even more so with the passing of the FedRAMP Authorization Act.

As improvements in the FedRAMP program and process result in an influx of CSPs hoping to achieve an ATO, they will likely also introduce an increased knowledge gap in the federal compliance community, requiring government agencies and cloud providers not only to understand and comply with the existing complex requirements of FedRAMP, but any updated and evolving requirements as well. We here at InfusionPoints look forward to guiding our clients and customers through newly expanding federal opportunities, and to continue working with our federal partners towards an efficient and secure cloud computing program for all.

Sources:

1. "Connolly, Comer, Peters, Portman Applaud House Passage of FedRAMP Authorization Act in FY23 NDAA" from U.S. Representative Gerry Connolly's website (Connolly, Comer, Peters, Portman Applaud House Passage of FedRAMP Authorization Act in FY23 NDAA | U.S. Representative Gerry Connolly)
2. Federal Risk and Authorization Management Program (FedRAMP). (2023, January 25). Call for FSCAC Noms [Blog post]. Retrieved from https://www.fedramp.gov/blog/2023-01-25-call-fscac-noms/
3. "FedRAMP Legislation pushed for the past several years, made the NDAA by a vote of 277-150" from MeriTalk (https://www.meritalk.com/articles/fedramp-agency-performance-bills-hitch-rides-on-ndaa/#:~:text=FedRAMP%20Legislation%20pushed%20for%20the%20past%20several%20years,made%20the%20NDAA%20by%20a%20vote%20of%20277-150)
4. "FedRAMP Announces the Passing of the FedRAMP Authorization Act!" from FedRAMP.gov (https://www.fedramp.gov/blog/2023-01-11-announces-passing-fedramp-auth-act/)
5. "H.R. 7776 - To authorize appropriations for fiscal year 2023 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes. (https://www.congress.gov/117/bills/hr7776/BILLS-117hr7776enr.pdf), U.S Congress.
6. "Program Basics" (https://www.fedramp.gov/program-basics/), FedRAMP.gov.
7. https://www.dwt.com/blogs/privacy--security-law-blog/2023/01/fedramp-authorization-cloud-services
8. "FedScoop" website. (2021, July 14). GSA seeks nominations for new FedRAMP cloud advisory committee. https://fedscoop.com/gsa-seeks-nominations-for-new-fedramp-cloud-advisory-committee/
9. FedRAMP. (n.d.). FedRAMP Marketplace. Retrieved February 20, 2023, fromhttps://marketplace.fedramp.gov/#!/products