It’s been a hot summer so far but Federal Risk and Authorization Program (“FedRAMP”) is just starting to heat up. In June, FedRAMP (the Federal government’s program for security authorizations for cloud solutions) released the final Emerging Technology Prioritization Framework, which outlines the prioritization of certain artificial intelligence capabilities. In mid-July, FedRAMP announced its Agile Delivery pilot program, which is a new process for reviewing significant changes without the need for advanced approval. FedRAMP also announced a new technical documentation hub (automate.fedramp.gov) that focuses on provided support to cloud service providers in the development of digital authorization packages. Lastly, just as the heat wave in Washington, D.C. ended, FedRAMP published the final version of the FedRAMP OMB Memo (“OMB Memo”) on July 26, 2024. The OMB Memo revamps FedRAMP through changes to the authorization paths and continuous monitoring and incident response processes, as well as enhancements through automation. Below are key points to know about each FedRAMP update released this summer.
Emerging Technology Prioritization Framework: On June 27, 2024, FedRAMP published the final Emerging Technology Prioritization Framework (the Draft version from January 26, 2024 is discussed here). The Emerging Technology Prioritization Framework outlines efforts to prioritize generative AI capabilities for FedRAMP authorization beginning with (1) chat interfaces; (2) code generators and debugging tools; and (3) prompt-based image generators. These prioritized offerings will have reduced waiting time for beginning the authorization process by “cutting the line” but the authorization process will not be accelerated. Notably, no more than three capabilities will be prioritized at any time and once three cloud service offerings whose primary purpose is to offer one of the prioritized capabilities have achieved FedRAMP authorization, then the capability no longer will be prioritized and any additional offerings using the same technology will return to the standard prioritization process. We expect FedRAMP will prioritize additional AI technologies as the program progresses.
Agile Delivery Pilot Program: On July 10, 2024, FedRAMP launched a new pilot program seeking to eventually replace the “significant change request” process with an approach that does not require advanced government approval for CSPs to make certain changes relating to their environments. This will permit CSPs to continually improve their products without unpredictability and delay under the current structure, which may result in risk and opportunity costs. If the pilot program goes as planned, we expect to see a broader rollout of the new procedures across FedRAMP-authorized cloud providers.
Technical Documentation Hub: On July 11, 2024, FedRAMP launched automate.fedramp.gov, which is a “a new technical documentation hub designed specifically to support cloud service providers (CSPs) in the development, validation, and submission of digital authorization packages, and the developers of governance, risk, and compliance (GRC) applications and other tools that produce and consume digital authorization package data.”[1] FedRAMP hopes the webpage will make the FedRAMP authorization process more efficient and accessible through faster and more frequent documentation updates, providing a wider range of available technical documentation, improving the user experience, and establishing a collaborative workflow for supporting the improvements to documentation.
FedRAMP OMB Memo: Although each of these updates is important, FedRAMP was just warming up for their biggest announcement of the summer, the final OMB Memo. Last fall we discussed the draft OMB Memo (available here). It took FedRAMP almost 8 months to sift through the 290 comments submitted in response to the draft OMB Memo. Below we focus on key points from the final OMB Memo (including items FedRAMP kept or changed after the comment period) and highlight some of the changes coming to FedRAMP.
- FedRAMP continues to emphasize the need for federal agencies to leverage shared infrastructure. Of particular note, the final OMB Memo maintains its emphasis on leveraging shared infrastructure between the Federal Government and the private sector, which appears to seek to largely eliminate the use of Government-Only cloud deployments. This may be unappealing to some agencies, which likely view the Government-Only cloud environments as more secure when establishing risk posture prior to leveraging a FedRAMP authorized cloud environment. Cloud service providers may need to restructure their cloud offerings and integrate improved security controls and practices to maintain an appropriate risk posture for all customers, including federal agencies.
- FedRAMP further clarified its scope, which “does not apply to every use of an internet-based service by a Federal agency.” In the draft OMB Memo, FedRAMP provided two categories of cloud services that are outside the scope of FedRAMP: (1) cloud-based services that do not host information systems operated by an agency or contractor of an agency or another organization on behalf of an agency; (2) services that are offered by a Federal agency but are not a cross-Government shared service. In the final OMB Memo, FedRAMP further clarifies the cloud computing products and services that are outside the scope of FedRAMP, including social media and communication platforms, search engines, and widely available services that provide commercially available information to agencies but do not collect Federal information, among other examples.
- FedRAMP outlines three “new” authorization paths. As previewed in the draft OMB Memo, FedRAMP is revamping its authorization paths. It maintains the agency authorization path, allowing for one or multiple agencies to support an authorization. The Joint Authorization Board (“JAB”) authorization path is officially going away and is being replaced by “program authorizations,” which are signed by the FedRAMP Director. Program authorizations are intended to allow FedRAMP to authorize certain cloud service products or services that a number of Federal agencies are likely to use. It remains to be seen whether FedRAMP will be actively identifying these cloud products or services. A more likely scenario will be a CSP submits an authorization package to FedRAMP without an agency sponsor with hopes of being authorized through the program authorization process. Lastly, FedRAMP maintained its “any other paths of authorization” catch-all authorization path, although the final OMB Memo provides little information on what this actually might entail.
- FedRAMP still plans to use “red-team” assessments during or following FedRAMP authorization. We highlighted this in our prior blog as a potential point of contention in the public comments because it appears to provide the FedRAMP PMO with unfettered discretion to initiate further assessment. The final OMB Memo maintains this discretion “at any point during or following the authorization process.” The final OMB Memo includes a footnote with the definition of “red-team” from NIST’s glossary of terms and states, “Any red-team efforts will be performed in accordance with the Federal Acquisition Regulation and other applicable guidance provided by DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the FedRAMP PMO.”
- Time-specific temporary authorization designations may be coming. Previously, a cloud service product or service in the authorization process but not yet authorized could be designated as “FedRAMP In Process,” or “FedRAMP Ready” if the CSP completed certain steps required to be listed on the FedRAMP Marketplace. These designations, particularly FedRAMP In Process, did not provide much information on the time remaining for the cloud product or service to be authorized. The final OMB Memo states FedRAMP will be issuing “time-specific temporary authorization[s]” that will allow Federal agencies to pilot the use of cloud services without a full FedRAMP authorization. The maximum pilot period is 12 months, after which the temporary authorization will terminate unless the CSP is in the process of obtaining a full FedRAMP authorization. Further guidance is coming from the FedRAMP PMO regarding these pilots.
- FedRAMP is exploring the use of Artificial Intelligence for security assessment reviews and continuous monitoring processes. As part of FedRAMP’s automation and efficiency efforts, FedRAMP plans to pilot the “use of emerging technology to determine feasibility and utility in an effort to improve security outcomes and scalability.” This will require the submission of security assessment artifacts and continuous monitoring information using Open Security Controls Assessment Language (“OSCAL”), which is being leveraged by FedRAMP in its automate.fedramp.gov webpage.
The release of the final OMB Memo comes with new deadlines. FedRAMP will submit an annual plan for the next two years that outlines program activities and provides a timeline for implementing the requirements of the final OMB Memo. Each Federal agency has 180 days to update agency-wide policy to align with the OMB Memo’s requirements and promote the use of cloud computing products and services that meet FedRAMP security requirements. The OMB Memo prescribes 18 months for GSA to enable authorization and continuous monitoring through machine-readable and automated means, and two years to ensure that governance, risk and compliance and system-inventory tools can ingest and produce artifacts using OSCAL.
The changes to FedRAMP following the FedRAMP Authorization Act continue to heat up. The Sheppard Mullin Cybersecurity and Data Protection team will keep you updated.
FOOTNOTES
[1] See FedRAMP Blog,“New Website Launch: automate.fedramp.gov.”