The Office of Management and Budget (OMB) will be unveiling proposed new guidance for the General Services Administration’s (GSA) FedRAMP (Federal Risk and Authorization Management Program) program on Friday morning.
The 11-year-old FedRAMP program is operated by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
The notice of the pending guidance release came from OMB today in the form of a Federal Register notice. The guidance document should be available for public viewing early Friday morning.
OMB will be seeking comment on the proposed guidance, which is titled “Modernizing the Federal Risk Authorization Management Program (FedRAMP).”
The incoming guidance from OMB is required under the FedRAMP Authorization Act approved by Congress late last year as part of the fiscal year (FY) 2023 National Defense Authorization Act (NDAA).
The FedRAMP Authorization Act, as enacted, codified the FedRAMP program into Federal law. The law also:
- Aims to encourage reuse of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification;
- Facilitates the use of cloud technologies that have already received an authorization-to-operate (ATO) by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own;
- Requires that GSA work toward automating its processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increased efficiency for both providers and agencies; and
- Establishes a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the Federal government.
In its Federal Register pre-publication notice today, OMB said the law enacted late last year “provides for OMB to issue guidance to define the categories of cloud products and services within the scope of the FedRAMP program and to describe additional responsibilities of the FedRAMP Program Management Office (PMO) and Board beyond those assigned by the Act.”
“OMB also has a general responsibility under the Act to oversee the effectiveness of FedRAMP and to encourage consistency in agencies’ adoption and use of secure cloud services,” the agency said.
“The proposed memorandum would support the Biden-Harris Administration’s goals for modernizing Federal information technology and has been prepared by the Office of Management and Budget in consultation with key stakeholders,” OMB said.
Industry observers are looking to the new OMB guidance for developments in several areas including how the FedRAMP program can hasten work on a backlog of applications, require automation, and comment on topics including risk acceptance and presumptions of adequacy.
