On July 25, 2024, the Office of Management and Budget (OMB) released a new memorandum, M-24-15, signaling a major overhaul of the Federal Risk and Authorization Management Program (FedRAMP). This update aims to streamline the cloud authorization process, drive the adoption of secure commercial cloud services, and increase the overall efficiency of the program. Here are the key takeaways from this critical update.
Program Authorizations: A New Path for CSPs
One of the most significant changes introduced by M-24-15 is the concept of “program authorizations.” This new pathway provides Cloud Service Providers (CSPs) with an alternative route to FedRAMP authorization, especially for those facing challenges in securing agency sponsors. This development could significantly ease the entry of new cloud services into the federal marketplace. However, it’s important to note that the full transition from the legacy Joint Authorization Board (JAB) process will take time. In the interim, CSPs are encouraged to continue pursuing agency sponsorships as a priority.
Bridging the Gap Between Commercial and Federal Offerings
OMB M-24-15 advocates for integrating FedRAMP security controls into standard commercial cloud offerings, eliminating the need for separate federal environments. While this approach promises efficiency and cost savings, it also presents significant challenges. The stringent nature of FedRAMP requirements, including FIPS 140-3 compliance and rigorous change management processes, can hinder the rapid innovation and development cycles typical of commercial cloud services.
Accelerating FedRAMP Through Automation
To accelerate the FedRAMP authorization process, M-24-15 mandates a significant shift towards automation and adoption of Open Secure Control Assessment Language (OSCAL). While automation has been a recurring topic, the memorandum provides a concrete deadline, requiring government agencies to implement automation capabilities by January 2026.
Enhanced Oversight with Specialized Reviews
Another significant change is the introduction of specialized reviews conducted by the FedRAMP Program Management Office (PMO). These reviews will focus on CSPs with high-impact services and can be initiated under certain conditions to ensure ongoing compliance. While details about these reviews are still emerging, this new oversight mechanism is expected to play a crucial role in identifying and mitigating potential risks associated with cloud services.
Key Implementation Deadlines
To achieve the ambitious goals set out in M-24-15, the OMB has established a series of implementation deadlines:
- January 2025: Agencies and GSA must update policies and processes to align with the new FedRAMP guidelines.
- April-June 2025: FedRAMP shall submit its first annual implementation plan to OMB.
- July 2025: GSA shall develop a plan to transition agencies away from government-specific cloud infrastructure.
- January 2026: GSA must implement automated processes for receiving FedRAMP artifacts.
- April-June 2026: FedRAMP shall submit its second annual implementation plan to OMB.
- July 2026: Agencies must have the capability to process machine-readable FedRAMP artifacts.
These deadlines reflect the urgency of the modernization efforts and set a clear timeline for both agencies and CSPs to follow.
OMB M-24-15 represents a significant leap forward in the evolution of the FedRAMP program. While there are challenges ahead, particularly in terms of compliance and integration, the changes outlined in this memorandum have the potential to greatly improve the authorization process, enhance cloud security, and foster stronger collaboration between the government and the private sector. As the landscape of cloud services continues to evolve, these updates will ensure that FedRAMP remains a robust and adaptable framework for securing federal information in the cloud.