After 11 years, FedRAMP is now the law
Among the many provisions contained within the thousands of pages of the National Defense Authorization Act (NDAA) signed into law by President Biden on December 28 is the codification of the Federal Risk and Authorization Management Program (FedRAMP), formalizing in legislation the primary mechanism upon which federal agencies rely to acquire cloud computing services. First established in 2011 in an official memorandum from the Office of Management and Budget (OMB), the program sought to ensure that all cloud computing services sold to the federal government satisfied at least a minimum set of security requirements, verified by explicitly accredited third-party assessment organizations (3PAOs) to provide an independent examination of the extent to which each cloud service provider (CSP) has effectively implemented the security controls required. In much the same way that federal systems and data centers are required to obtain an authorization to operate (ATO) before agencies can use them, the FedRAMP program grants authorizations either from a sponsoring agency or from the Joint Authorization Board (JAB), with representation from the General Services Administration (GSA), Department of Homeland Security (DHS), and Department of Defense (DoD). What was unusual about FedRAMP when it was established is that it gave cloud service providers the opportunity to obtain an official government ATO even without a federal contract in place. With FedRAMP authorization now a go-to-market requirement for cloud vendors seeking to serve government customers, it’s not surprising that the program has produced a lot of authorized services — nearly 300 services were FedRAMP authorized at the end of 2022, with more than 100 other services actively engaged in the authorization process.
It’s not entirely clear if simply codifying FedRAMP will have a noticeable impact on the program or the way it operates, but the bill introduced in early 2021 (as the “FedRAMP Authorization Act”) assigns GSA the statutory authority to “establish a governmentwide program that provides the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.” It also formalizes the FedRAMP Program Management Office to implement and administer the program and the Joint Authorization Board to make authorization decisions about cloud service providers using the results of independent security control assessments. The text of the bill includes language intended to reduce the time and level of effort required to obtain and maintain FedRAMP authorization, including through increased use of automation for security assessments, authorization decisions, and continuous monitoring of FedRAMP authorized services. These provisions are presumably a result of the frustration among federal agencies and cloud service providers regarding the work and time (and associated cost) required to produce all the documentation required under FedRAMP and complete initial and annual assessments and compliance reviews. The focus on automation and efficiency may be a nod to ongoing efforts such as NIST’s Open Security Controls Assessment Language (OSCAL) as a technical standard to enable automated security assessments and other risk management activities. At least one FedRAMP CSP has successfully submitted a set of FedRAMP assessment documentation using the OSCAL format, although the vast majority of ATO requests and assessments are still completed using Word and Excel templates uploaded to the FedRAMP PMO’s online repository.
One noteworthy change to FedRAMP contained in the new legislation is an explicit “presumption of adequacy” of a FedRAMP authorization, a provision designed to encourage reciprocity among agency FedRAMP authorizations and to move closer to the original FedRAMP vision of authorizing a cloud service once and reusing that authorization many times across the government. The law here is essentially saying that a federal agency should view a successful FedRAMP authorization as adequate for the agency’s own authorization determination. It does not appear that federal agencies are obligated to ignore any agency-specific requirements or standards they may have that exceed the FedRAMP baselines on which FedRAMP authorizations are based, but many agencies currently consider FedRAMP authorization as necessary but not sufficient to warrant an authorization to operate. FedRAMP as first envisioned was supposed to provide a minimum security standard, but shifting to a position that presumes that minimum level of security should satisfy every agency’s risk tolerance suggests a fundamental misunderstanding of risk management principles and of differing agency opinions about data sensitivity and system criticality. Even within certain business domains many agencies do not agree on the level of security protection that should be applied. For example, the Department of Veterans Affairs (VA) and Centers for Medicare and Medicaid Services (CMS) both handle protected health information (PHI) on their beneficiaries, but VA assigns a “high” security categorization to data it holds such as veteran medical records while CMS assigns a “moderate” categorization to similar types of data it maintains on Medicare and Medicaid recipients. Cloud service providers looking to sell cloud infrastructure services or software-as-a-service (SaaS) applications for use by government agencies have little alternative but to seek FedRAMP high authorizations to appeal to the broadest set of government customers they can, but even with a FedRAMP high authorization many agencies still impose addition requirements on CSPs before they authorize cloud services for use. Any presumption of adequacy should also require cloud service providers to be more diligent about maintaining their ongoing FedRAMP authorization status in a way that mitigates concerns agencies may have about ensuring implemented controls remain at least as effective as they were at the point in time when their ATOs are first granted. Cloud services are subject to threats, vulnerabilities, patches, updates, and enhancements just as any conventional systems or services are, but agencies using FedRAMP-authorized services rarely have access to operational performance and security metrics on a real-time basis. Instead of continuous monitoring, many agencies rely on regular reviews of CSP plans of action and milestones (POA&Ms) to learn what weaknesses or vulnerabilities their CSPs are working to address. It is not uncommon for CSPs to report on dozens or even hundreds of POA&M corrective actions so each agency has to make its own determination about the risk of using a given cloud service based on how well the CSP is managing its ongoing authorization.
To security practitioners, the use of the word “adequate” in the law is likely to be both unsatisfying and completely expected. There is of course no such thing as “perfect” security and any adjective connoting higher or stronger levels of protection suffers from problems of subjective interpretation. The standard of “adequate security” for federal government data and systems predates even the Federal Information Security Management Act of 2002 (FISMA) that prompted most of the official standards and guidance from NIST that agencies must rely on to manage their security activities. The need for adequate security (and, incidentally, the need to formally authorize or federal systems every three years) stems from OMB Circular A-130, released in 2000, that gave explicit instructions to executive agencies on implementing provisions of the Information Technology Management Reform Act of 1996, more familiarly known as the Clinger-Cohen Act. Given the current threat environment most federal agencies face, it might be nice to see security-focused legislation aiming a little higher, but perhaps FedRAMP isn’t the appropriate mechanism for that. The FedRAMP Authorization Act does create a new federal secure cloud advisory committee focused on determining ways to increase adoption and use of FedRAMP services and to both increase the number of services authorized and reduce the cost of FedRAMP authorization to agencies and to CSPs. The committee is apparently not tasked with identifying or recommending ways to make cloud services used by the government more secure.