Back to Insights

Exciting Changes at FedRAMP: A New Era of Cloud Security and Efficiency

June 24, 2024

The past twelve months have been a period of intense transformation for FedRAMP, with several critical program changes reshaping its landscape. In this blog, we will try to summarize the key points and implications of these changes.

Introduction of the FedRAMP Board

The most significant change is the replacement of the FedRAMP Joint Authorization Board (JAB) with the new FedRAMP Board. As defined by the FedRAMP Authorization Act, this Board serves as the program’s governing body, representing the needs and interests of the federal community. It is composed of seven federal technology executives from various agencies, selected by the Federal Chief Information Officer (CIO) in the Office of Management and Budget (OMB). The Board includes the Federal CIO and the FedRAMP Director as non-voting Chair and Vice Chair, respectively, and holds private meetings to guide FedRAMP policies. This new governing body, composed of federal technology leaders, aims to streamline the authorization process while ensuring the security of cloud services used by the federal government.

What about JAB P-ATOs?

As a result, the JAB provisional authorization to operate (P-ATO) pathway for cloud service authorization will no longer be available. What about the existing JAB P-ATOs? FedRAMP is currently evaluating how existing JAB P-ATOs will be transitioned to the new authorizations. While a definitive answer is still under development, the most likely path forward involves seeking authorization from your primary agency or a consortium of relevant agencies.

Advisory Bodies: FSCAC and TAG

In addition to the FedRAMP Board, two advisory bodies play crucial roles:

  • Federal Secure Cloud Advisory Committee (FSCAC): This committee advises on FedRAMP and the secure use of cloud services by the federal government. It includes members from both the government and private sectors, selected through a public nomination process and chaired by GSA leadership. The FSCAC operates as a voting body with public meetings, providing a platform for stakeholders to engage and share feedback.
  • Technical Advisory Group (TAG): Consisting of federal employees with expertise in modern cloud technology, the TAG provides technical advice to FedRAMP. Its members are jointly selected by OMB and FedRAMP, covering areas like cybersecurity, privacy, digital service delivery, and cloud infrastructure management. The TAG is not a voting body and meets periodically or as needed.

New Pathways to FedRAMP Authorization

With the dissolution of the JAB, new pathways for achieving FedRAMP ATO have been introduced:

  • Single Agency ATO: This path builds upon the traditional Agency path, emphasizing reusability and efficiency. Cloud services meeting a single agency’s robust security standards can now be adopted by other agencies with similar needs.
  • Multi-Agency ATO: Building on the JAB P-ATO model, the Joint-Agency Authorization facilitates a collaborative approach. Multiple agencies work together to authorize a cloud service that meets a common security standard. This significantly reduces the workload for cloud service providers and expedites adoption across government agencies.
  • FedRAMP PMO ATO: The FedRAMP Program Management Office retains the ability to directly grant authorization under specific circumstances. While the exact criteria are still being refined, this option might be used for cloud services with broad government applicability or those addressing emerging security needs.

Key Initiatives at FedRAMP

Several initiatives have been launched to enhance the program’s effectiveness:

  • Agile Change Management: Replacing the “significant change request” process with a more flexible approach, starting with pilot programs involving interested cloud providers.
  • Customer-Oriented Metrics: Developing new metrics based on customer experiences and feedback, and updating performance metrics to align with customer outcomes.
  • Core Security Expectations: Clearly defining security expectations for all authorization types and collaborating with CISA to implement best practices and minimize risk.
  • Outcome-Focused Policies: Updating guidance in areas that cause authorization pain points, such as FIPS 140 and DNSSEC, while maintaining flexibility to focus on security outcomes.
  • Increasing Authorizing Capacity: Aligning processes with trusted partners and piloting this approach with DISA for the Department of Defense, as well as convening joint authorization groups for streamlined processes.
  • Digital Authorization Packages: Transitioning to machine-readable packages in OSCAL, leveraging automated validation and system-to-system integration, and piloting this with interested cloud providers and agencies.

The transition to the new FedRAMP structure may cause some initial uncertainty regarding authorization paths and existing ATOs. However, the long-term benefits are significant. These changes aim to make FedRAMP more efficient, customer-focused, and scalable, ultimately enhancing its ability to serve the evolving needs of federal agencies.

One key benefit is the standardization of authorization. All approved ATOs, regardless of the path (Single Agency, Multi-Agency, or FedRAMP PMO), will hold equal weight. This eliminates confusion surrounding Agency vs. JAB P-ATO distinctions and simplifies the reuse of ATOs across agencies. Additionally, streamlined continuous monitoring allows for a more efficient process. To enhance overall security, FedRAMP is looking to revise policy around ridged compliance requirements to achieving measurable security outcomes. This allows for a more dynamic and effective approach.

We are confident these advancements will have a positive impact on the future of FedRAMP and its ability to support secure federal cloud adoption.