This is the first in a series of blogs about the evolving landscape of secure commercial cloud computing supported by the FedRAMP program.
The President signed into law HR 7776, “The James M. Inhofe Defense Authorization Act for Fiscal Year 2023,” which includes the FedRAMP Authorization Act. The FedRAMP Authorization Act is a federal risk and authorization management (FedRAMP) initiative that provides a standardized, reusable approach to security assessment and certification for cloud computing products and services that process declassified information used by agencies. Codify the program.
The FedRAMP Program is administered by the FedRAMP Program Administration Office (PMO) within the General Services Administration (GSA). The FedRAMP program was established through a 2012 Office of Management and Budget (OMB) memorandum. With the passage of the FedRAMP Authorization Act, the program was codified into legislation enacted by Congress through formal congressional investigation and oversight. This blog provides an overview of important changes and impacts on cloud service providers and institutions related to the FedRAMP program.
FedRAMP Program Beyond 2023
Because of the FedRAMP Authorization Act, one of the biggest changes to the FedRAMP program will be congressional oversight and the GAO report. Expect more reporting and focus on metrics related to ATO costs, the institution’s use of cloud services, and continuous improvement through automation. A key aspect of the FedRAMP Approval Act is awareness of the FedRAMP ATO’s cost burden on small businesses and the desire to ensure participation in the program. The key elements of the FedRAMP Approval Act are summarized below.
Metrics and Performance Standards: OMB and GSA/FedRAMP PMOs are required to prepare and submit reports for congressional review. Specific elements of reporting include:
(1) GSA/FedRAMP PMOs and agencies report on the speed, efficiency, sharing, reuse and security of FedRAMP ATOs;
(2) Establish annual metrics for the time and quality of assessments required to complete FedRAMP approval that can be consistently tracked over time.
(3) Data on FedRAMP approval.
(4) Average time to issue FedRAMP certification.
(5) The number of FedRAMP certifications submitted, issued, and rejected.
(6) Report on technologies that safely automate the FedRAMP process.
(7) The number and nature of approved cloud service offerings in use by each institution.
(8) Review of FedRAMP measures to ensure the security of data stored or processed by cloud service providers. This may include:
• geographic location restrictions for products or services offered;
• Disclosure of external factors in the supply chain of the acquired product or service;
• Continued disclosure of ownership of cloud service providers by foreign entities; And
• Encryption of data processed, stored or transmitted by cloud service providers.
Foreign ownership reporting by CSP and 3PAO: Cloud Service Providers (CSPs) and 3PAOs must report changes in foreign ownership or control within 48 hours. Further investigations and reporting on foreign ownership of CSP and 3PAO are expected.
Agency approvals from the FedRAMP ATO: An evaluation of the security controls and materials within the certification package for CSPs with FedRAMP ATOs are deemed suitable for institutional use. Nevertheless, this provision does not alter the authority of any entity to seek additional controls or be responsible for risk-based acceptance of FedRAMP-approved commercial cloud services.
Oversight through GAO reporting: GAO is mandated to provide independent assessments and reports on critical programs, parameters include:
(1) Costs incurred by institutions and cloud service providers in connection with issuance of FedRAMP certification.
(2) Extent to which the agency has processes in place to continuously monitor the implementation of cloud computing products and services that operate with federal information systems.
(3) Frequency and destination of categories of products and services that use FedRAMP approval.
(4) the unique costs and potential burdens incurred by cloud computing companies as a small business issue;
Federal Security Cloud Advisory Board: The FedRAMP Approval Act mandates the creation of a 15-member committee to provide recommendations and opportunities to engage a wide range of agencies, particularly small businesses in CSPs. We have at least 5 unique business representatives, primarily providing cloud computing services, including at least 2 representatives of small businesses.
FedRAMP Crystal Ball
The FedRAMP program is now codified into legislation overseen by Congress, which is likely to generate greater debate and lead agencies to consider FedRAMP-accredited commercial cloud services for their modernization and security needs. Given that numerous reports, metrics, and usage data will be generated, there will be more focus on quantifying agency cost savings through reuse of commercial cloud services.
Additionally, given the significant industry investment in the FedRAMP program, there will be an ongoing focus on lowering the cost of compliance to remove sponsorship bottlenecks and, in particular, to enable smaller businesses to participate. Large CSPs should consider formulating a program to enable participation of small and medium-sized enterprises (SMEs) to develop and deliver innovative FedRAMP-certified SaaS solutions.
Overall, the law will allow for greater transparency, potential funding, and drive a lively debate about the use of secure commercial cloud services to improve the security and customer experience of government services. Commercial CSPs, including small businesses, can advance the FedRAMP program.
First and foremost, industry organizations like the Alliance for Digital Innovation (ADI) will provide more funding to support the FedRAMP program and encourage institutions to consider secure commercial cloud services for their mission needs.
“Passage of FedRAMP legislation will launch much-needed updates to the program. Executives from the FedRAMP Office of Program Administration and GSA’s Technology Innovation Services have been instrumental in streamlining the program and making it more customer-centric with limited resources. However, institutional needs and the amount of cloud-based services and software moving to the cloud are creating demands that the current FedRAMP program cannot meet given its resource and policy parameters,” said Ross Nodurft, Executive Director, Alliance for Alliance. said Digital Transformation (ADI).”This bill allows OMB and GSA to reimagine the FedRAMP process as well as a marketplace where institutions can access modern cloud-based services while maintaining high security standards. FY2023 Omnibus Legislation This new language of accreditation, along with additional funding from , will allow the program to evolve and transform to meet the ever-expanding modernization needs of our agency businesses.”
*** This is Blog Archives – stackArmor’s Security Bloggers Network syndicated blog written by stackarm0radm1n14274. Read original post: https://stackarmor.com/fedramp-authorization-act-implications-for-cloud-service-providers-and-agencies/