Cloud

Highlights from OMB M-24-15: Modernizing the FedRAMP Program

Matt chaiko

Matt Chaiko

Lead Principal, Advisory Services, Coalfire

August 2, 2024

On July 25, 2024, the Office of Management and Budget (OMB) published OMB M-24-15: Modernizing the FedRAMP Program, which outlines OMB’s vision for the future of the FedRAMP program. First released as a draft for public comment in October 2023, this finalized memorandum details strategic changes to the FedRAMP program to ensure it continues to enable the Federal government to safely use the best of the commercial cloud marketplace for years to come. 

OMB is building its vision for the future around several new strategic goals and responsibilities for the FedRAMP program and agencies alike. Let’s take a look at some key takeaways from M-24-15 and how they could impact cloud service providers in the near future.

Program Authorizations

Can’t find an agency sponsor? Today, you can choose to go the FedRAMP Ready route or delay your FedRAMP efforts until you have a sponsor solidified. M-24-15 introduces a new authorization path called a “program authorization”. These authorizations are intended to allow the FedRAMP program to enable agencies to use a cloud product or service for which an agency sponsor has not been identified, but for which substantial Federal use could reasonably be expected were it to be authorized.

This may end up being one of the most impactful changes for CSPs, but it will take time for this process to fully materialize. The PMO plans to focus the initial rollout of program authorizations on helping JAB authorized CSPs and CSPs prioritized by the JAB to transition away from the legacy JAB. CSPs with current or pending JAB authorizations who are not able to transition to an agency authorization will be prioritized for program authorizations. 

This transition stage will likely require significant time and resources from the PMO, who already has a backlog of package reviews. Until the transition of JAB authorizations is complete, Coalfire recommends that CSPs continue to target agency sponsors and not rely solely on the new program authorization process.

Reducing the Need for “FedRAMP Versions” of Cloud Service Offerings

Most CSPs choose not to pursue FedRAMP authorization for their commercial (private sector) service offerings, and instead build a separate instance of their offerings on isolated infrastructure dedicated to customers requiring FedRAMP compliance. M-24-15 urges FedRAMP to incentivize CSPs to stop following this practice, and instead integrate FedRAMP security requirements into their core commercial services. 

OMB’s theory is that CSPs’ commercial cloud offerings receive more investment, better security maintenance, and more rapid feature development compared to dedicated Federal offerings. By incentivizing CSPs to uplift their commercial offerings to be FedRAMP compliant, the Federal government benefits from a better service offering and the CSPs’ commercial customers alike benefit from the increased security.

Coalfire agrees with the OMB in theory and applauds this attempt but sees significant roadblocks to its success. CSPs create dedicated Federal offerings to comply with highly impactful federal requirements like FIPS 140-3 encryption, strict vulnerability remediation timelines, U.S. persons/citizens mandates, and restrictions on the use of non-FedRAMP authorized cloud services. Until it becomes financially advantageous for CSPs to apply FedRAMP requirements to their commercial offerings, implementing this strategic goal will be a significant challenge for the FedRAMP program.

Streamlining Processes through Automation

It is no secret that the FedRAMP program is actively working on ways to streamline the authorization process through automation. FedRAMP has been promoting OSCAL since its release by NIST in 2021 and has referenced automation in multiple blog posts and roadmaps since then. M-24-15 formally codifies automation as a requirement for a modernized FedRAMP program and sets deadlines for when the FedRAMP program and federal agencies must implement capabilities for producing, receiving, and ingesting FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means. 

However, there is still no defined deadline for when CSPs must start providing security packages and continuous monitoring artifacts using OSCAL (or any succeeding protocol identified by FedRAMP). 

For additional details on FedRAMP’s plans around automation, please see Coalfire’s May 2024 Blog post FedRAMP Improvements: Balancing Speed with Security.

Special Review

M-24-15 introduces the concept of a new specialized assessment of existing FedRAMP authorizations that the FedRAMP PMO itself can perform. The FedRAMP board must approve any special review and establish an expedited deadline for its completion. Reviews will be performed by a working group consisting of subject-matter experts from across the Federal Government selected by the FedRAMP Director and FedRAMP board. 

This working group will have the specific purpose of developing processes and goals tailored to the nature and technical architecture of the CSP, and will oversee the review of the CSP’s authorizations. An assessment report will be submitted to the FedRAMP Director and FedRAMP board, along with any recommended changes that should be required of the CSP to maintain a FedRAMP authorization.

M-24-15 does not provide details on what circumstances might trigger a specialized review. Coalfire suspects these reviews could be used in conjunction with the existing corrective action plan (CAP) process, or used for deeper assessments of CSPs with the highest volume of Federal agency customers.

Implementation Deadlines: 

  • January 21, 2025: Each agency must issue or update agency-wide policy that aligns with the requirements of M-24-15.
  • January 21, 2025: GSA will update FedRAMP’s continuous monitoring processes and associated documentation to reflect the principles in M-24-15.
  • March 2025 (Q2FY25), March 2026 (Q2FY26): For two years, FedRAMP will submit an annual plan detailing program activities for implementing the requirements in M-24-15.
  • July 2025: GSA will produce a plan, approved by the FedRAMP board and developed in consultation with industry, to structure FedRAMP to encourage the transition of Federal agencies away from the use of government-specific cloud infrastructure.
  • January 2026: GSA will establish a means for receiving FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means, to the extent possible. Some continuing reliance on documentation may be necessary where machine-readable representations are not possible.
  • July 2026: Agencies shall ensure that agency GRC and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol as identified by FedRAMP.