Software industry group offers FedRAMP wishlist to OMB, GSA

Software trade group the Alliance for Digital Innovation offered OMB and GSA officials potential priorities to consider in implementing the FedRAMP Authorization Act in a Feb. 1 letter.

Software trade group the Alliance for Digital Innovation offered OMB and GSA officials potential priorities to consider in implementing the FedRAMP Authorization Act in a Feb. 1 letter. Yuichiro Chino / Getty Images

Natalie Alms By Natalie Alms,
Staff Writer

By Natalie Alms

|

The recently-passed FedRAMP Authorization Act should be a starting point for the government to remake the certification program in a way that lowers the barrier of entry for cloud solutions, the Alliance for Digital Innovation said in a new letter to OMB and GSA.

The Alliance for Digital Innovation wants the federal government to use the FedRAMP Authorization Act to “reimagine” the program and address what it says are longstanding problems with insufficient funding and barriers to entry for cloud providers. 

FedRAMP, established in 2011, is a government-wide cybersecurity assessment, authorization and continuous monitoring program that certifies the security of cloud services that federal agencies can use. 

Congress recently passed the FedRAMP Authorization Act as part of the fiscal 2023 National Defense Authorization Act, codifying the program and including measures meant to promote its use such as a cloud advisory committee and FedRAMP board, as well as directions for the Office of Management and Budget to issue FedRAMP guidance.

But the Alliance for Digital Innovation, a software technology trade group, said in a Feb. 1 letter to OMB director Shalanda Young and General Services Administration leader Robin Carnahan that the law “is an opportunity for the administration to develop a policy that allows FedRAMP to grow and change with the needs of government at the speed of technological innovation.”

The association offers a list of priorities it wants GSA and OMB to consider as they implement the legislation. The group wants the program to allow “federal agencies to manage their risk while lowering the barrier to entry for commercial, modern cloud solutions,” Ross Nodurft, executive director of the association, said in a statement. 

“The administration has a clear remit from Congress to invest in the program and build a risk management structure that can support rapid, robust digital transformation and movement to cloud services,” he said.

One ask is for OMB and GSA to create incentives for agencies to sponsor FedRAMP authorization for cloud service providers, something that can be “a time-consuming and resource-intensive process for authorizing officials,” the letter says. OMB and GSA might consider funding, personnel support and public recognition for agencies. 

The letter also asks for OMB and GSA to appoint and fund a FedRAMP coordinator at each agency who would help agency officials that want to onboard a new cloud product.

The group also asks for government to make it easier for small cloud businesses to enter the federal marketplace with things like grants to pay for third-party assessments, and to encourage agencies not to default to higher levels of security controls, but instead tailor risk management – something that would make agencies more nimble, the letter states.

“The public and private sectors need to work closely together to develop a policy that encourages agencies to make risk-based decisions based on security threats and not perceived oversight,” the letter said.

The group’s concerns about underutilization of the program also surfaced in a 2019 report by the Government Accountability Office, which found that 15 of 24 agencies it surveyed did not always use FedRAMP to authorize cloud services, with interviewees pointing to resource challenges in complying with the program and confusing guidance.

The Alliance also calls for new security compliance programs to build in reciprocity with FedRAMP. The letter points to the Defense Department’s Cybersecurity Maturity Model Certification as a place where this would “reduce the administrative burden for the government and the compliance burden of the cloud companies, and allow agencies to more quickly comply with these new security policies.”

Other requests in the letter include the creation of a governance structure for the technical review process; public lists of authorities to operate issued by each agency for cloud service providers; changes meant to “open the marketplace” to cloud solutions still in the process of becoming eligible for FedRAMP authorization and more.

As for funding these changes, the alliance suggests that GSA tap into the recent funding boost and cross-agency funding tool given to GSA in the latest appropriations package.

“The FedRAMP Authorization Act and the accompanying money from Congress represent the beginning of long needed investments in the FedRAMP Program,” said Nodurft.

NEXT STORY: Industry voices complaints over short response window for $60B VA recompete

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.