OMB rewrites cloud buying rulebook
The FedRAMP program received its first major update in more than a decade
The White House revamped the federal government cloud buying policy Friday, giving the Federal Risk and Authorization Management Program's first major update since its launch in 2011.
The new guidance issued July 26 was required under legislation enshrining the FedRAMP program into law, and also purports to be "responsive to developments in federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established."
One of the key changes in the marketplace is the explosion of cloud-based software. When the program launched in 2011, agencies were looking to cloud to provide infrastructure on-demand. The program is looking to widen its aperture and extend capacity to meet the challenge of vetting software-as-a-service products for federal government use. An oversight report released earlier this year dinged the General Services Administration for the slow pace of process improvements to the program.
Program updates include streamlining the security assessment process to facilitate the reuse of existing assessments as well as cross-agency reciprocity, leaning into automation to allow for machine-to-machine communication of security documentation and a push to grow the program by providing additional authorization pathways for vendors and agencies.
“This highly anticipated guidance further equips GSA to make it safe and easy for federal agencies to deploy state-of-the-art technology to deliver better service to the American people," agency administrator Robin Carnahan said in a statement.
The contents of the new guidance won't come as a surprise to federal technology buyers or vendors; draft guidance was circulated for comment late last year and the process of retooling FedRAMP has been in the works since the 2022 passage of authorizing legislation in the National Defense Authorization Act.
Rep. Gerry Connolly, D-Va., the sponsor of the legislation, told an industry audience earlier this month the FedRAMP program was in "limbo" pending OMB guidance. Today, he applauded the news of the guidance required under his bill.
"Today’s release of OMB’s official FedRAMP guidance is good news for federal agencies and the stakeholders who rely on the FedRAMP process," Connolly said in an emailed statement. "Implementation of the FedRAMP Authorization Act and continued improvements to FedRAMP will ensure the program is executing its mission of cloud safety and security for federal agencies in a way that does not sacrifice the efficiency and accessibility that stakeholders need to engage with the federal government."