What’s next for FedRAMP?

With so many significant cyberattacks making headlines this year, Congress has responded by significantly increasing funding to patch vulnerabilities and modernize IT systems and networks across the federal government.

Behind the scenes, an existing government-wide initiative with few staff and a small budget continues to play a quiet but impactful role in helping secure federal systems and protect Americans’ data from hackers.

Over the last 18 months, as the COVID-19 pandemic pushed agency networks to the brink, FedRAMP’s role in ensuring secure federal IT systems has become more critical than ever. It is FedRAMP certified solutions that have allowed for the rapid implementation of cloud-based tools across agencies to ensure that remote federal teams remain secure and productive.

With this as the backdrop, a recent U.S. Senate Homeland Security and Governmental Affairs Committee roundtable reviewed the program and areas for potential reform – specifically the bipartisan Federal Secure Cloud Improvement and Jobs Act introduced by Sens. Gary Peters (D-Mich.), Josh Hawley (R-Mo.), Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.), which aims to codify the program and includes a series of important provisions – including encouraging the reuse and reciprocal treatment by agencies of cloud service providers’ existing security authorizations. The Sen. Peters legislation builds upon the House passed FedRAMP codification bill authored by Rep. Gerry Connolly (D-Va.). I was pleased to participate in this roundtable and to share my thoughts for reform with the committee.

FedRAMP’s mission is too critical for 'pass the hat' funding

As the FedRAMP program has grown in importance for agencies and industry partners, so too has the need to provide the program with resources requisite to its critical mission as the gateway to secure cloud for the federal government.  Without adequate resources – including funding and staff, the program simply does not have what it needs to meet the challenges and volume of requests from CSPs wanting to become FedRAMP certified.  In a way, the program is a victim of its own success, with an industry-wide recognition that to effectively sell IT solutions into the federal market, you must be certified.

While codifying FedRAMP will be an important step, the FedRAMP project management office (PMO) and Joint Authorization Board (JAB) teams must grow to meet the growing requirement for JAB and agency authorizations. And to grow, they need funding. Funding comes from appropriations, and you need a bill for appropriations.

And that brings us to another critical question – cost. The cost of FedRAMP authorization for CSPs is often a point of contention. Some critics suggest FedRAMP is too complex, and the controls are too onerous for smaller CSPs and that this complexity drives up the cost and limits the number of CSPs that can participate in the federal market. While it is true that FedRAMP can be costly, especially for those complex solutions, the cost of the government purchasing solutions with weak cybersecurity is far greater.  

Further, to address the needs of smaller providers, we need to acknowledge there are industry programs available to assist smaller, independent software vendors looking to achieve FedRAMP authorization in an efficient and cost-effective way. These programs make the process simple and achievable – especially when one recognizes that some of the complaints directed at FedRAMP are actually about the underlying federal security requirements that are not actually set by FedRAMP.

The FedRAMP program applies the National Institute of Standards and Technology and Federal Information Security Modernization Act standards – standards all CSPs are required to meet to do business with the government. With cyberattacks an ongoing problem, these standards are not a “nice-to-have,” they must be “table stakes” for CSPs, and if they cannot achieve these standards, they should not be selling to the government.

Eric Mill, senior advisor to the federal CIO at the Office of Management and Budget, affirmed FedRAMP’s important role during the roundtable: “We are relying on FedRAMP to help implement the president's executive order on cybersecurity, to support agencies as they migrate to a zero trust architecture and generally to accelerate the adoption of modern cloud tools that improve agency efficiency, and ultimately the public's experience with their government.”

The challenge is that the increase in remote work has also expanded the attack surface – agencies face increasingly sophisticated and relentless cyber threats. As a result, IT leaders must trust their cloud solutions – FedRAMP helps provide that assurance.

In addition to these considerations, the legislation establishes a Federal Secure Cloud Advisory Committee that will help track the program’s effectiveness, particularly when reusing FedRAMP authorizations.

At the end of the day, FedRAMP is a force multiplier for securing federal IT systems and networks. The program should be codified and funded, giving the FedRAMP PMO the ability to expand services and strengthen cyber defenses, and meet the needs of an increasingly digital government. It is these actions, at a minimum, that will ensure the federal government is prepared to meet today’s IT security challenges, as well as tomorrow’s.

CORRECTION: This article has been updated to correctly ascribe a quotation to Eric Mills at the Office of Management and Budget. The article originally credited the remarks to another roundtable participant.