DOGE’s Mission and FedRAMP’s Future: What Comes Next?

The rumor mill is running strong right now on the future of FedRAMP®, but the truth is, nobody knows what is ultimately going to happen.  There are two fundamental truths we can be sure of: 

• FedRAMP is critical to achieving the mission of DOGE, which is to modernize Federal technology and software to maximize governmental efficiency and productivity.
• FedRAMP could be run more efficiently.

According to a recent GSA report, FedRAMP has saved taxpayers an estimated $700M over its lifetime when compared to the FISMA days when every agency was responsible for their own security compliance. It was basically the wild wild west of information security. 

What did FedRAMP bring to the table to save all that money?  

A centralized framework and third-party validation program that all agencies were required to adopt, which allowed a cloud service provider to go through one security control validation assessment that could be leveraged across all agencies who would want to use that cloud service.  

This is the shining star of the program: the cost burden was put on the cloud service provider and the agency had validation that the cloud service was secure.  How very DOGE of them. And huge bonus points, as of the writing of this blog, there have been no publicly documented breaches directly attributed to cloud service providers that have achieved FedRAMP authorization. Everyone should be thanking FedRAMP right now.

Now where did FedRAMP go wrong?  

They squashed much of the efficiency through months-long review processes that provided little value and by requiring an agency sponsor for a cloud service to get listed in the FedRAMP marketplace. 

Is there an easy fix? 

Yes! If we could wave our magic wand, three things would appear (or disappear):

• FedRAMP Program Management Office (PMO) would continue to provide a centralized compliance framework, updating the requirements as the risks and threats to our government evolve.  They would eliminate the PMO review process.  It is redundant with the third-party assessment organization (3PAO) validation.  It made sense in the beginning of the program when 3PAOs were new and couldn’t fully be trusted but the accreditation program has evolved since 2011 and it is A2LA’s responsibility to ensure quality.
• FedRAMP would eliminate the need for an agency sponsor to be in the FedRAMP marketplace. If the cloud service provider meets the FedRAMP-defined security baseline requirements, they would be allowed to sell to the federal government. 
• System Security Plans (SSPs) and manual assessments go away.  They are time-consuming, redundant, and cost-intensive. Industry, agencies, and FedRAMP PMO should work together to identify the best way to automate this process and eliminate these manual processes, but not to the detriment of good security practices. Third-party validation should still play a part because in our experience agencies don’t want to be responsible for validation, they just want to understand risk.  We all saw what happened when the DoD told DoD contractors to implement the NIST SP 800-171 requirements and asked them to self-attest, right?  It was determined that very few contractors met the requirements and voila, CMMC is born. CMMC Level 2 and 3 require third-party validation (either through C3PAO or agency) and this year CMMC will be required for all DoD contractors to keep or bid on DoD contracts.

We’ve talked about what FedRAMP PMO can do, now let’s talk about what cloud service providers should do. As a leading FedRAMP 3PAO and advisor, we are being asked this question many times a day and our answer remains firm. 

Cloud Service Providers

If you are a cloud service provider who has a solid business case for selling your service to the federal government, stay the course.  There is no universe in which an agency is going to suddenly not care about securing federal data.  The technical requirements aren’t going to become less stringent because FedRAMP lost funding. The risk to agencies isn’t going to decrease because of budget cuts. Waiting to see how things shake out only delays your go-to-market and your path to revenue.  While government spending is under additional scrutiny, remember the mission of DOGE: bring technology and software to the government. You are that, once the dust settles, you should be there ready and waiting for that RFP.

If you are a cloud service provider who has already been authorized and you are in the continuous monitoring phase, you should reach out to all your authorizing agencies and coordinate a joint monthly briefing or determine how they would like to proceed.

If you are a cloud service provider who is pursuing or has current DoD contracts, you should continue to meet all applicable DoD Cloud Computing Security Requirements Guide (CC SRG) and/or CMMC requirements.  Nothing is changing for you currently.

If you still aren’t sure where to go from here, we’ve got you covered.  Contact Coalfire and we are happy to walk this journey with you.