FedRAMP Codified: A New Law Aims to Streamline Federal Security Authorizations for Cloud Services

Since its inception in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has sought to facilitate adoption of secure cloud computing services by federal government agencies. A newly enacted law, the FedRAMP Authorization Act, aims to improve FedRAMP, including by streamlining the approval process for cloud services and by pushing agencies to rely on previous approvals from other agencies. Companies that provide—and that want to provide—cloud computing services to the federal government are advised to monitor developments to FedRAMP closely.

On December 23, 2022, President Biden signed the FedRAMP Authorization Act into law as part of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023. The FedRAMP Authorization Act codifies FedRAMP, which previously existed by virtue of a 2011 policy memorandum (2011 Policy Memorandum) issued by the Office of Management and Budget (OMB), creates two new bodies to oversee the program and facilitate federal government adoption of cloud computing services more broadly, and introduces various measures to facilitate and increase federal agencies' adoption of FedRAMP-authorized cloud services. Perhaps the most important component of the FedRAMP Authorization Act—or at least the one that has garnered the most attention so far—is its "presumption of adequacy" provision, under which a federal agency must presume that a cloud service that already has received FedRAMP authorization from another agency has adequate security measures to achieve authorization at that agency. Other provisions of the law include those aiming to:

• Make the FedRAMP authorization process faster, clearer and more transparent;
• Improve the efficiency and effectiveness of the FedRAMP authorization and continuous monitoring processes through the use of automation;
• Maintain FedRAMP's public comment process for guidance and program directives that may impact CSPs and agencies;
• Better monitor the effectiveness of FedRAMP and identify areas for improvement;
• Facilitate dialogue between the federal government and the private sector on cloud computing adoption, including by placing both federal government and private sector leaders on the newly created Federal Secure Cloud Advisory Committee; and
• Identify foreign influences affecting organizations that assess the security of cloud services.[1]

Changes introduced by the FedRAMP Authorization Act, which was enacted amidst a major push by the federal government to migrate agencies' IT systems to the cloud,[2] could create significant opportunities for companies that provide cloud computing services. In particular, provisions of the new law could make it easier for Cloud Service Providers (CSPs) to obtain an authorization to operate (ATO, also frequently referred to as an "authority to operate") from multiple federal agencies, allowing those CSPs to service numerous agencies and save valuable time and money in attaining these authorizations.

Background on FedRAMP

The 2011 Policy Memorandum that created FedRAMP set forth several goals for the program, including the standardization of security requirements and assessment processes for cloud products and services across federal agencies. Prior to FedRAMP, each agency was responsible for maintaining its own such requirements and processes for CSPs.

There currently are two ways a CSP may achieve FedRAMP authorization for one of its cloud computing services: by obtaining an ATO from a federal agency that wants to use that service, or by obtaining a "provisional" ATO (P-ATO) from FedRAMP's Joint Authorization Board (JAB)—a governing body composed of the chief information officers of the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). An agency may rely on an existing ATO or P-ATO when assessing the security of a cloud computing service that it wants to use, rather than conducting a completely new FedRAMP security assessment.

While FedRAMP has improved standardization of cloud security assessments across federal agencies, the program has been hampered by inconsistent adoption by federal agencies. A 2019 report by the Government Accountability Office (GAO) found that 15 of 24 agencies surveyed used cloud services that had not been authorized through FedRAMP, and that one of those agencies used 90 non-FedRAMP authorized cloud services. Additionally, some agencies have continued to maintain their own authorization processes for CSPs,[3] making it more difficult for CSPs that have obtained an ATO from one agency to obtain ATOs from others.

Another common criticism of FedRAMP related to the significant time and resources needed for CSPs to achieve FedRAMP authorization. According to some reports, achieving FedRAMP authorization often takes between six and 12 months and costs more than $500,000[4]—difficult investments for many organizations and prohibitive for many startups and other small businesses offering cloud computing services. The FedRAMP Authorization Act seeks to address these and other difficulties with the current version of FedRAMP.

The FedRAMP Authorization Act

Presumption of Adequacy and Facilitating Agency Reuse of FedRAMP Authorized Services

The FedRAMP Authorization Act seeks to improve FedRAMP in several important ways. As stated, the law includes a "presumption of adequacy" provision to "[r]educe duplication of security assessments and other obstacles to agency adoption of cloud products."[5] With this provision in place, CSPs may find it considerably easier to obtain ATOs from multiple agencies as an agency will be required to presume that the materials supporting a P-ATO or an ATO from another agency (referred to as an "authorization package") are sufficient to support an ATO from that agency. In other words, a federal agency must presume that a FedRAMP-authorized cloud computing service has adequate security controls for that agency's use, reducing the need for additional and duplicative security assessments. In other words, a federal agency must presume that an already-FedRAMP-authorized cloud computing service has adequate security controls for authorization at that agency, reducing the need for additional and duplicative security assessments. Additionally, agencies maintain the authority to demine that there is a demonstrable need for additional security requirements beyond those included in the FedRAMP authorization.

To further facilitate agency use of cloud products or services that already have been FedRAMP authorized, the separate provision of the FedRAMP Authorization Act requires that agencies check a central repository of FedRAMP authorizations prior to initiating a new authorization process. Agencies also are required, to the extent practicable, to use existing security assessments and other supporting materials when assessing a cloud product or service that is already FedRAMP authorized, rather than conducting new assessments or requiring CSPs to create new materials.

Program Responsibilities and New Oversight Bodies

The FedRAMP Authorization Act assigns responsibilities for maintaining and overseeing FedRAMP to various stakeholders, including two new bodies created by the law—the FedRAMP Board and the Federal Secure Cloud Advisory Committee ("Advisory Committee").

The law assigns primary administrative responsibility for FedRAMP to the GSA, as is the case with the current program. The FedRAMP Authorization Act instructs the GSA Administrator to, among other things:

• Develop, coordinate and implement a process to support agency review, reuse and standardization of security assessments of cloud computing products and services, in consultation with the Secretary of DHS.
• Develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process.
• Establish and update guidance on the boundaries of FedRAMP authorization packages.[6]
• Grant FedRAMP authorizations to CSPs, consistent with guidance from the FedRAMP Board.
• Establish and maintain a public comment process for proposed guidance and other FedRAMP directives.
• Provide a secure repository for storing FedRAMP authorization packages and other materials supporting existing FedRAMP authorizations to better facilitate agency reuse of FedRAMP authorized products and services.
• In coordination with the Secretary of DHS, evaluate options for improving the efficiency and effectiveness of FedRAMP authorizations and continuous monitoring through the use of automation capabilities and procedures.
• Determine whether FedRAMP may use an independent assessment service to evaluate security assessment materials submitted by CSPs during the authorization process.FedRAMP currently requires CSPs to obtain assessments from Third Party Assessment Organizations (3PAOs) during the authorization process.

The Director of OMB also has significant responsibilities under the law. The Director is instructed to, among other things:

• Issue guidance clarifying the products and services that fall within the scope of FedRAMP.
• Issue guidance describing additional responsibilities of FedRAMP and the FedRAMP Board to accelerate the adoption of secure cloud computing products and services by the Federal Government.
• Establish a process to periodically review FedRAMP authorization packages to support the secure authorization and reuse of secure cloud products and services.

The newly created FedRAMP Board is tasked with providing input and recommendations to the GSA Administrator. The FedRAMP Board will include senior officials from DoD, DHS, GSA and other agencies as determined by the Director of OMB. The FedRAMP Board's responsibilities include establishing requirements and guidelines for FedRAMP security authorizations and monitoring and overseeing agencies' FedRAMP authorization processes.

The law also creates the Advisory Committee "to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services." The Advisory Committee will include representatives from the GSA, the National Institute of Standards and Technology (NIST), the Cybersecurity & Critical Infrastructure Security Agency (CISA), federal agency chief information security officers, and "unique businesses that primarily provide cloud computing services or products"—including at least two from small businesses. The Advisory Committee shall examine the operations of FedRAMP and advise on ways to improve the authorization processes and shall provide guidance to the GSA Administrator, the FedRAMP Board, and agencies on the adoption of cloud products and services.

Other Provisions

Other key provisions of the FedRAMP Authorization Act include the following:

• Any independent assessment service used to evaluate security assessment materials must annually report to GSA information relating to any foreign interest, foreign influence, or foreign control of the service. The service must also report to the GSA any change in foreign ownership or control within 48 hours.
• The Director of OMB is required to submit annual reports to the GAO, which must include an assessment of the performance of GSA and the federal agencies under FedRAMP, data on FedRAMP authorizations, the average length of time to issue FedRAMP authorizations and FedRAMP measures to protect data stored in the cloud, including geolocation restrictions for cloud products and services and disclosures of foreign ownership of cloud service providers by foreign entities.
• A sunset provision striking the provisions of the act five years after its enactment.Presumably, this sunset provision is intended to give Congress the option to continue FedRAMP as constituted or to overhaul federal agencies' management of cloud product and service security.

Conclusion

CSPs that currently have or intend to pursue FedRAMP authorizations should closely monitor FedRAMP developments, including the forthcoming guidance from the GSA and OMB on program scope, processes, and requirements. The new law, particularly the "presumption of adequacy" provision, may give CSPs significant new opportunities to expand their cloud product and service offerings to federal agency clients with less time and fewer resources needed to achieve authorization.

DWT's Information Security team regularly advises clients operating in the cloud computing space on navigating FedRAMP and other security requirements related to cloud computing. We will continue to monitor changes to FedRAMP and how those changes may affect our cloud computing clients.