Tech-sector trade group Alliance for Digital Innovation (ADI) is calling on Federal technology leaders to boost funding for the Federal Risk and Authorization Management Program (FedRAMP) through allocations from Federal Citizen Services Fund (FCSF) that is maintained by the General Services Administration (GSA), which also oversees FedRAMP.
The 11-year-old FedRAMP program is operated by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
In a Feb. 1 letter to GSA Administrator Robin Carnahan and Office of Management and Budget (OMB) Director Shalanda Young, ADI hailed the approval by Congress in December of legislation to codify the FedRAMP program into law and make a slew of improvements to the program.
Those include reducing duplication of security assessments, promoting the re-use of already certified cloud services, automating assessment processes, and establishing a Federal Secure Cloud Advisory Committee for coordinating the acquisition and adoption of cloud services by the government.
What the legislation did not specify, however, is any new funding target for the program, or sources of where new money might come from so the program can expand its abilities to evaluate private sector cloud services for government use.
ADI – which counts as members tech giants such as Amazon Web Services and Google Cloud – recounted in the Feb. 1 letter how Federal agencies have been increasingly adopting cloud services, while FedRAMP remains “woefully underfunded and has not grown at the pace of agency cloud adoption.”
The trade group offered a long list of recommendations for program activities going forward, and said that to make those changes, “the FedRAMP PMO will require additional sustained resources from its 2022 baseline budget.”
“Fortunately, the Consolidated Appropriations Act of 2023 (FY23 Omnibus) provided GSA with a significant $35 million funding increase in the Federal Citizen Services Fund (FCSF),” the group said. “Additionally, the FY23 Omnibus included language allowing agencies to transfer unused, end-of-year funding into the FCSF for government-wide programs like FedRAMP.”
“The FedRAMP PMO should leverage these additional resources to invest in technical personnel, tools that can provide automation and continuous monitoring, wider adoption of Open Security Controls Assessment Language (OSCAL), and teams that can assist agencies in authorizing new cloud products and services,” ADI urged.
“The speed of technological innovation is not slowing down,” ADI said. “Agency leadership and mission owners will continue to demand access to the latest technology to meet the needs of the American people. Therefore, FedRAMP must evolve to become a risk management and authorization program that supports the expanding and dynamic technology needs of our digital government. The recent authorizing legislation provides the framework to reimagine FedRAMP in a way that keeps up with constantly accelerating demand and flexes to meet agency needs.”
Ross Nodurft, ADI’s executive director, commented, “The FedRAMP Authorization Act and the accompanying money from Congress represent the beginning of long-needed investments in the FedRAMP Program. GSA has done what it can with the authorities and limited resources; but the Administration has a clear remit from Congress to invest in the program and build a risk management structure that can support rapid, robust digital transformation and movement to cloud services.”
“The Alliance for Digital Innovation is invested in working with GSA and OMB and other stakeholders to build a flexible, long-term program that allows federal agencies to manage their risk while lowering the barrier to entry for commercial, modern cloud solutions,” he said.
ADI’s letter features numerous recommendations for FedRAMP going forward, including:
- Encouraging a new look at risk management on security control baselines;
- Incentivizing agencies to sponsor new cloud services and solutions;
- Requiring all new security compliance programs across the government to build in reciprocity with FedRAMP;
- Driving governance, objectivity, and consistency across the technical review process;
- Adding additional industry members to the new Federal Secure Cloud Advisory Committee;
- Building transparency into the FedRAMP PMO reporting process;
- Considering actions to lower the barriers to entry into the Federal marketplace for “small, innovative cloud businesses”;
- Providing multiple pathways for product improvements, modifications, and additions;
- Opening the marketplace to solutions that are in the process of becoming eligible for FedRAMP authorization;
- Holding government off-the-shelf technology to the same standard as commercial off-the-shelf technology; and
- Appoint a FedRAMP coordinator at each Federal agency and resource them effectively.