FedRAMP Authorization Act
FedRAMP provides a standardized approach to security authorizations for Cloud Service Offerings within the Federal ecosystem and is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data. Gaining this certification in advance means placement in the FedRAMP marketplace, from which government divisions and agencies can choose a provider at the level of security they choose.
Cloud Service providers have a multi-billion dollar federal market to address with some clarity on security requirements.
President Joe Biden has signed a legislation that will reform the Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity authorization program, as part of the National Defense Authorization Act (NDAA). The act is designed to promote the federal implementation of FedRAMP government wide.
The latest iteration of FedRAMP Authorization Act makes sure that the FedRAMP program has a board to continue improving the quality and shorten the time for a Cloud Service Provider (CSP) to attain an Authorization to Operate (ATO). The act also creates a new cloud advisory committee consisting of five representatives from cloud service companies with the specification that two of those positions will be filled by small cloud vendors.
Why is this important to cloud service providers (CSPs)?
There are hundreds if not thousands of cloud service providers who need to be FedRAMP certified and the journey for many has been long with millions of dollars in investment. The old rules made it difficult to cross sell to federal agencies as each agency can have additional security requirements extending the sales process.
One of the most significant aspects of the FedRAMP reform language is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used by any federal agency without additional cost, or time increasing CSPs market size.
The cloud advisory board will have voice of the CSPs’ making the rules relevant and effective for continuous compliance and ensure highest level of data protection. The shortage of 3PAOs increased the assessment timelines and the single assessment approach will free up 3PAO’s to get more CSPs certified.
If a CSP wants to make a business case to pursue the Federal market, they can start with the NIST controls benchmark with approved FedRAMP services from GCP, AWS and Azure GovCloud instances. Once they complete their readiness and demonstrate compliance to NIST 800-53 controls, they can now find a 3PAO to validate the controls and submit the package to FedRAMP board for approval. Once approved, they are listed, and every Federal agency can now subscribe to the service. A FedRAMP certified CSP has demonstrated highest security control implementation and monitoring eliminating the need to chase less known commercial security certifications. FedRAMP has now millions of dollars in funding to market its program to State agencies. Many states are adopting FedRAMP as their security framework and this only increases the addressable market.