FedRAMP Revamp: OMB Publishes Memorandum Contemplating Sweeping Changes to Federal Government Cloud Procurement Security Standards and Strategy

On July 25, 2024 the Office of Management and Budget (OMB) issued Memorandum M-24-15, Modernizing the Federal Risk Authorization Management Program (FedRAMP) (the Memo).  The Memo proposes substantial updates to FedRAMP, replacing the December 2011 memorandum (2011 Memo) that established FedRAMP as the government-wide security and risk assessments program for cloud services providers (CSPs) supporting federal government operations.

The Memo sets forth a plan to scale FedRAMP, strengthen its approach to security review, and accelerate the adoption of cloud products and services in the federal government.  The proposed changes are designed to modernize FedRAMP, tailoring it to fit the contemporary cloud marketplace that is increasingly dominated by Software-as-a-Service (SaaS) cloud offerings.

The Memo also states that the federal government intends to transition away from using separate, government-specific cloud offerings.  Going forward the government will incentivize cloud providers to bring their core, commercial offerings into compliance with FedRAMP practices so they are available for government use. 

New requirements and key changes to the FedRAMP program proposed in the Memo are summarized below.

Defining Which Cloud Services Require FedRAMP Authorization

The Memo clarifies which cloud services are subject to FedRAMP, defining FedRAMP’s scope as “cloud computing products and services (such as [Infrastructure-as-a-Service] (IaaS), Platform-as-a-Service (PaaS), and SaaS) that create, collect, process, store, or maintain Federal information on behalf of a Federal agency, and that are not otherwise specified as out of scope . . . .”   The Memo identifies the below services as out of scope:

• Information systems that are only used for a single agency’s operations, hosted on cloud infrastructure or platform, and are not offered as a shared service or do not operate with a shared responsibility model;
• Social media and communications platforms used in accordance with agency social media policies;
• Search engines;
• Widely available services that provide commercially available information to agencies, but do not collect Federal information;
• Ancillary services whose compromise would pose a negligible risk to Federal information or information systems, such as systems that make external measurements or only ingest information from other publicly available services; and
• Any other categories of products or services identified for exclusion by the FedRAMP Board, with the concurrence of the Federal CIO.

The Memo does not define “federal information,” but does explain that FedRAMP’s scope “applies only to information systems that process unclassified information and are not national security systems as defined in 44 U.S.C. § 3552 [i.e., systems dedicated to intelligence and military functions].”

The Memo’s scoping guidance significantly narrows the range of FedRAMP’s applicability versus the 2011 Memo, which stated that FedRAMP broadly applied to “[a]ll cloud deployment models” and “[a]ll cloud service models.” 

Revamping the FedRAMP Authorization Process

Currently, FedRAMP provides two paths to authorization for cloud providers:  single agency sponsorship or Joint Authorization Board (JAB) authorization.  In order to promote efficiency, security, and increased authorization availability, the Memo proposes several changes to the authorization process, including:

• A third path to authorization, the “joint-agency authorization,” allowing two or more agencies to pool resources to sponsor a cloud offering.
• A mandatory “presumption of adequacy,” requiring agencies to presume that authorization documentation is adequate in evaluating a cloud service or product that has an active FedRAMP authorization or that relies upon/inherits security controls from a cloud service or product with an active authorization, so long as the sought authorization is at or below the FedRAMP impact level (i.e., Low, Moderate, or High) that applies to the active authorization.
• Trial FedRAMP authorizations, allowing agencies to pilot cloud offerings that are not fully authorized for up to 12 months.
• Updating and streamlining the FedRAMP security baselines and control selection process to focus on the most salient threats.
• Developing criteria to prioritize cloud offerings that are aligned with agency demand and the government’s overall cloud procurement strategy (for example, prioritizing shared commercial platforms that are not government-only, as discussed above).
• The introduction of “intensive, expert-led” red-team assessments as a component of the authorization or continuous monitoring processes.

Streamlining the Assessment Process

The Memo directs the General Services Administration (GSA) to establish a means of automating FedRAMP security assessments and reviews.  To facilitate automation, the Memo contemplates requiring CSPs to provide FedRAMP Authorization or Continuous Monitoring artifacts in machine-readable format and through application programming interfaces (APIs) “to the extent feasible.” 

The Memo also directs the FedRAMP Program Management Office (PMO) and the FedRAMP Board to “explore” the use of Artificial Intelligence (AI) in the FedRAMP security assessment and continuous monitoring process, beginning with a pilot program to determine feasibility and scalability.

In addition to automation, the Memo states that FedRAMP must establish criteria allowing cloud providers to submit “external security framework” certifications or assessment results in lieu of undergoing a full FedRAMP assessment.  The Memo does not define “external security frameworks” but does clarify the criteria should focus on “accepting widely recognized external security frameworks” applicable to cloud products and services.

Updates to Continuous Monitoring

The FedRAMP PMO is “encouraged” to develop a standardized Continuous Monitoring framework in consultation with the Cybersecurity and Infrastructure Security Agency (CISA), the OMB, and the Department of Homeland Security (DHS), including by:

• Updating incident response procedures applicable to cloud providers.
• Redesigning the change management process to allow CSPs to make changes to their products and services without requiring advance approval from FedRAMP or the sponsoring agency.
• Sharing risk and threat detection data with CISA.
• Structuring the framework to avoid incentivizing government-only cloud offerings. Specifically, the Memo states that “[i[n general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs’ commercial customer base.”

Changes to FedRAMP Governance

The Memo also clarifies the FedRAMP leadership and management structure:

• GSA, as the operator of the FedRAMP PMO, is charged with responsibility of the bulk of the changes contemplated by the Memo, including by defining core FedRAMP security authorization requirements.
• The FedRAMP board is directed to coordinate inter-agency FedRAMP activities and with establishing and updating FedRAMP assessment materials.
• The newly-created FedRAMP Technical Advisory Group (TAG), made up of “several” technical experts selected from federal government employees, will provide technical advice to the existing FedRAMP Board.
• Federal agencies are instructed to collect and report FedRAMP metrics; include GSA-established FedRAMP authorization requirements in relevant government contracts; and ensure that agency governance, risk, and compliance (GRC) tools and system inventory tools can produce, transmit, and ingest machine readable authorization artifacts using Open Security Controls Assessment Language (OSCAL) or any succeeding machine-readable formats.
• The National Institutes of Standards and Technology (NIST) is instructed to support automation of security assessment, continuous monitoring, and other FedRAMP processes in alignment with NIST Special Publication 800-37.

Implementation Timeline

Within 180 days of the Memo’s issuance (i.e., by January 21, 2025):

• Each federal agency is directed to issue an agency-wide policy aligned with the Memo.
• GSA is directed to update FedRAMP’s continuous monitoring processes to align with the Memo.

Within 1 year of the Memo’s issuance (i.e., by July 25, 2025), GSA must create a plan to modify FedRAMP “to encourage the transition of Federal agencies away from the use of Government-specific cloud infrastructure.”  GSA is to create this plan in consultation with industry and the FedRAMP Board.

Within 18 months of the Memo’s issuance (i.e., by January 21, 2026), GSA must implement procedures to receive FedRAMP authorization and continuous monitoring artifacts through “automated, machine-readable means, to the extent possible.”

Within 24 months of the Memo’s issuance (i.e., by July 25, 2026), agencies must implement OSCAL compatibility for agency GRC and system-inventory tools.

Considerations for Industry

Cloud service providers with active FedRAMP authorizations should consider:

• Monitoring FedRAMP and agency communications for any changes to FedRAMP continuous monitoring or incident response obligations.
• Exploring the feasibility of submitting continuous monitoring artifacts in machine-readable format.

Cloud service providers with pending FedRAMP authorizations, or that are considering pursuing FedRAMP authorization, should consider:

• Reviewing the Memo’s revised, narrower FedRAMP scope to determine whether their cloud offering requires FedRAMP authorization.
• Exploring the expanded paths to authorization, including joint-agency sponsorship and trial authorizations.
• If developing a government-specific cloud offering, modifying or pausing development in light of the Memo’s directive for agencies to move away from government-only cloud products and services.

Additionally, AI firms should consider monitoring updates on the FedRAMP AI assessment pilot program for contracting or business development opportunities.