Updated FedRAMP Roadmap Creates New Authorization Paths for Government Cloud Service Providers

James Masella 70px jpg

James Masella

VP, Compliance Advisory, Coalfire

April 22, 2024

The General Services Administration (GSA) released an updated roadmap for the Federal Risk and Authorization Management Program (FedRAMP). The new roadmap was announced during the Federal Secure Cloud Advisory Committee (FSCAC) monthly meeting by Eric Mill, the Executive Director for Cloud Strategy at GSA. 

The new roadmap aims to enhance the efficiency and effectiveness of the FedRAMP process, making it easier for government agencies to adopt and use cloud technologies while ensuring the security of their data. It includes several key updates and improvements that will benefit both cloud service providers (CSPs) and government agencies.

One of the notable changes in the roadmap is the introduction of new authorization paths.  Since FedRAMP is an authorization by the federal government to use cloud services, it is often the biggest hurdle cloud service providers (CSP) must clear to access the federal market. 

Paths to FedRAMP Authorization

Previously, there have been two paths to authorization: the legacy Joint Authorization Board (JAB) and the agency path. Both paths have become bottlenecks to getting more secure cloud services to the FedRAMP marketplace for different reasons.

JAB Path

The now legacy JAB path to a provisional authorization to operate (P-ATO) required that cloud service providers already have significant demand from the federal government to even seek authorization. 

The JAB prioritization process, necessary to the relatively small size and bandwidth of the JAB itself, made it very difficult for new technologies to enter the marketplace. A relatively small number of CSPs could feasibly make it to authorization each year, making this a very difficult path to authorization. As of this year, there have not been any new cloud service providers prioritized for this authorization path.

With the implementation of the latest NDAA and “FedRAMP Law,” there is a huge opportunity to stand up a FedRAMP board with quicker processes with more agency participation. This combined with automation to speed up the tasks associated with security package reviews, should hopefully increase authorization review throughput and get more cloud services to P-ATO. The roadmap calls for a “low-review” process and the formation of initial joint authorization groups, which could ease this authorization bottleneck.

“Sponsorship” Path

The more common authorization path, obtaining a federal agency to “sponsor” a CSP also has had its challenges. Many agencies are reluctant to be the first initial authorizing agency, even though their responsibilities are no different from any other agency that issues an authorization to operate (ATO) letter for that cloud service. 

Common misconceptions that prevent agencies from taking a CSP through this path are the assumption that the agency is accepting risk for the entire federal government (it does not) or that the level of effort is too high (it is not really, generally less than 120 person-hours the first year, 80 person-hours annually thereafter for continuous monitoring). It is true that many agencies add their own requirements, though it is often redundant with the existing FedRAMP requirements and unnecessary. 

Fixing the issues with the agency path of authorization, perhaps bringing back a version of the old “CSP Supplied” designation, will go a long way in getting more cloud services to the FedRAMP marketplace.

The Cost of FedRAMP Certification

During the April FSCAC meeting, Drew Myklegard, Deputy Federal CIO at OMB, expressed the desire to better understand the cost of obtaining FedRAMP, especially for small businesses. 

Of course, this is another huge hurdle for CSPs seeking to enter the federal market. The cost of building, resourcing, procuring software licenses, configuring, patching, assessing, and continuously monitoring a cloud service that meets FedRAMP requirements can conservatively run into the millions of dollars in year one and hundreds of thousands of dollars annually. 

As was discussed during the meeting, the business case is often a difficult sell to boards even though their commercial products are successful, due to the challenge of guaranteeing a return in federal contracts on these large investments. And time is a killer.

With the authorization process typically taking 12 to 18 months, costs mount quickly for the CSPs. For startups, this financial challenge can be insurmountable, which limits the government’s access to emerging technologies. Accelerating the authorization and continuous monitoring processes through automation can go a long way to reducing this barrier to entry of modern cloud services for the government.

Closing Thoughts On the Updated FedRAMP Roadmap

Overall, the updated roadmap for FedRAMP is a positive development for both CSPs and government agencies. It provides a more flexible and efficient approach to authorization, improves the focus on continuous monitoring and ongoing compliance, provides more well-defined and consistent guidance to cloud service providers, and enhances the usability of the FedRAMP marketplace. 

Continuing to work with the FSCAC to address the challenges “on the ground” with the FedRAMP program will be invaluable to filling in the details necessary to improve the program going forward. These updates will contribute to the adoption of secure cloud technologies within the government and promote the modernization of IT systems across federal agencies.

In conclusion, the recent FedRAMP roadmap from GSA is a step forward in strengthening the security and efficiency of cloud services used by government agencies. 

The updates and improvements outlined in the roadmap will help to streamline the authorization process, enhance continuous monitoring, and provide agencies with better access to authorized cloud services. This will ultimately support the government's efforts to leverage the benefits of cloud computing while ensuring the protection of sensitive data.