FedRAMP Modernization – November 20
DWPA Staff on November 20, 2023
The Office of Management and Budget (OMB) released a draft memorandum on October 27, 2023, outlining its recommendations for modernizing the Federal Risk and Authorization Management Program (FedRAMP). The OMB’s recommendations for modernizing FedRAMP are significant, as they reflect a recognition that the program needs to be updated to keep up with the evolving cloud computing landscape. If the recommendations are implemented, they could make it easier for agencies to adopt cloud services, drive innovation and improve the overall security of the federal government’s cloud computing environment. In addition, the recommendation could reduce the time, energy and perhaps cost of entry into the Federal government for cloud-based technology companies. A potential win-win for Government and Industry
The need for speed and innovation
OMB and the FedRAMP program office recognizes that our government must move faster to remain competitive and to stay ahead of our Adversaries Software as a Service (SaaS) remains the fastest growing segment within government cloud acquisitions. The US government is increasing its adoption of SaaS applications at a rapid pace. In 2022, US federal agencies spent a record $6.1 billion on cloud-based and SaaS applications, and this number is expected to continue to grow in the coming years. Factors driving this growth include: the need to improve efficiency and reduce costs, the desire to increase agility and innovation, and the need to improve security. At the same time the introduction of new technologies/innovation such as Security, Artificial Intelligences, Machine Learning, Back Office Automation have exploded Artificial Intelligence (AI) market is a great example. As of November 2023, there were approximately 18,000 AI companies are based in the United States. This number has been growing rapidly in recent years, as AI technology has become increasingly powerful and accessible. Factors driving the growth of AI in the commercial and Public Sector markets include improved efficiency and reduced costs, desire to increase agility and innovation, and the need to improve security. SaaS providers typically have more resources and expertise in security than government agencies, which can help to protect government data from cyberattacks.
The OMB recommendations are intended to accelerate the adoption of new technologies by the government.
OMB key recommendations in the draft memo:
- Become more responsive to the risk profiles of individual services, as well as evolving risks throughout the cyber environment. This would involve developing a more risk-based approach to FedRAMP authorizations and considering the unique needs of each cloud service.
- Increase the quantity of products and services receiving FedRAMP authorizations by bringing agencies together to evaluate the security of cloud offerings and strongly incentivizing reuse of one FedRAMP authorization by multiple agencies. There is also language around a “No Sponsor “accreditations and the ability for companies implement “Proof of Concepts” up to 1 year for non FedRAMP compliant offerings. This would involve streamlining the authorization process for businesses and making it easier for agencies to adopt cloud services. A determination by the PMO would need to be made on the minimum number of security controls that would need to be implemented and the criteria for which the two approaches can be implemented.
- Streamline the authorization process by automating appropriate portions of security evaluations, consistent with industry best practices. This would involve using technology to reduce the manual burden of FedRAMP assessments and make them more efficient. The adoption of technologies and the refinement in approaches (Oscal, Continuous Monitoring.) should make Agencies more receptive to sponsoring new technologies.
- Improve sharing of information with the private sector, including emerging threats and best practices. This would help to ensure that both the government and the private sector are working together to protect cloud-based systems from cyber threats.
- In addition to these general recommendations, the draft memo also includes specific recommendations for improving FedRAMP’s approach to continuous monitoring, security controls, and risk assessments.
The OMB’s recommendations for modernizing FedRAMP are significant, as they reflect a recognition that the program needs to be updated to keep up with the evolving cloud computing landscape. If the recommendations are implemented, they could make it easier for agencies to adopt cloud services and improve the overall security of the federal government’s cloud computing environment.
FedRAMP Accreditation = Success?
Congratulations, your company has invested the required energy, time, and capital to achieve FedRAMP accreditations. This is not an easy feat, but you now have an enterprise class offering which will be recognized by your potential customers in the Federal Government but also by the commercial markets that you serve (regulatory markets, retail, etc.) However, this does not guarantee your success in the Federal market. Understanding the nuances of the market is the difference between success and failure in this marketplace.
Failure to develop a business case
Many companies that attempt to enter the Federal market failed because they didn’t develop a business case. The companies fail because they don’t understand the dynamics of Federal Government market, the unique mission of the customers in order to secure sales let alone gain market share, fail to understand its competitors and their incumbency positions and/ or existing contract vehicles, fail to adapt their business model and/ or understand and comply with regulatory hurdles. Understanding your total addressing market within Federal is critical, it should be the first thing a business does before entering the market.
By developing a business case, companies can identify and mitigate the risks associated with entering a new market. They can also ensure that they have the resources and capabilities necessary to be successful.
Deep Water Point and Associates (DWPA) provides a 3rd party, unbiased market/business justification for companies wanting to enter the Federal marketplace. DWPA provides end to end services to accelerate client growth in areas of market research and intelligence, strategy and management consulting, business development services across the entire growth lifecycle. This is why so many businesses rely on the expertise of Deep Water Point and Associates to accelerate their understanding, entry and growth within the Federal marketplace.
For more information, go to https://dwpassociates.com/ or contact Tom Ruff tom.ruff@dwpassociates.com