On July 25, 2024, the White House Office of Management and Budget (OMB) released M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)” which outlined four strategic goals, one of which related to FedRAMP authorizations: “Rapidly increase the size of the FedRAMP Marketplace by evolving and offering additional FedRAMP Authorization Paths.” As part of this strategic goal, “FedRAMP will develop alternative authorization paths for cloud computing products and services, beyond those described in this document, that embrace risk management principles, consistent with National Institute of Standards and Technology (NIST) standards and guidelines, and provide flexibility to agencies.”
The FedRAMP Authorization Process
In order for Cloud Service Offerings (CSOs) to be listed on the FedRAMP Marketplace, it must meet the rigorous requirements defined by the FedRAMP program. These requirements consist of controls defined in NIST 800-53, Revision 5 “Security and Privacy Controls for Information Systems and Organizations” and FedRAMP program-specific requirements. CSOs are assessed by an accredited Third-Party Assessment Organization (3PAO).
A CSO is considered FedRAMP authorized once the CSO has completed an assessment by a 3PAO, been issued an agency authorization (for the agency path), the authorization package has been meticulously reviewed by the FedRAMP Program Management Office (PMO), and the CSO is listed on the FedRAMP Marketplace. At this point, the CSO is considered FedRAMP authorized, which certifies that the CSO has completed the assessment process, achieved a level of programmatic and technical security, and is considered “presumptively adequate for use by Federal agencies.” This presumption of adequacy is upheld as the cloud service provider (CSP) continually maintains and monitors the security posture of the system through the (FedRAMP) continuous monitoring process.
FedRAMP Authorization Paths – New Options
As defined in OMB Memo M-24-15, there are three paths to achieve a FedRAMP authorization.
- Agency authorizations.
- Program authorizations.
- Any other path to authorization that is designed by the FedRAMP PMO in consultation with OMB and the National Institute of Standards and Technology (NIST).
Until recently, there were two paths to obtain a FedRAMP Authorization to Operate (ATO). The first option was to obtain a FedRAMP ATO from a specific government agency, and the second option was to receive a FedRAMP Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB). The JAB has since been dissolved and replaced by the FedRAMP Board which has taken over the responsibilities of the JAB and now manages the former JAB authorizations that were in process during the transition. The FedRAMP Board is charged with developing the overall strategy and policies for the FedRAMP program and expanding the FedRAMP authorization capacity of the federal government.
One goal of the FedRAMP Board is to increase the overall number of FedRAMP authorizations, so they are introducing multiple paths to achieve that goal. As of this writing, there are 229 federal agencies that have issued a FedRAMP authorization, ranging from 74 authorizations issued by a single agency to just a single authorization by many federal agencies.
Agency-Specific FedRAMP Authorizations
Agency authorizations will continue to be a viable path to FedRAMP authorization for many CSOs. When a federal agency grants an Authority to Operate (ATO), the scope of the authorization applies exclusively to that agency. However, other agencies have the option to leverage the existing authorization package as a basis for their own review. To address any risk concerns, these agencies may request additional testing or assessments to be conducted before issuing their own ATO, ensuring the solution meets their specific security requirements and risk tolerance.
CSPs should establish partnerships with agencies planning to use their CSO as early as possible. The agency formalizes its sponsorship of the CSP through the FedRAMP authorization process by contacting the PMO, after which a kickoff meeting can be scheduled.
Program-Specific FedRamp Authorizations
Program authorizations are a new concept introduced by OMB. With a program authorization, the FedRAMP Director will sign off on the authorization and affirm that the CSO meets FedRAMP requirements. This authorization path is designed for CSOs that do not have a federal agency sponsor, but their CSO is anticipated to be widely used across the federal government.
Right now, the FedRAMP PMO is working to issue a program authorization for those CSPs that were selected for a JAB authorization (prior to the dissolution of the JAB) but didn’t have a specific agency sponsor. I’ve spoken to multiple CSPs who wanted to pursue a FedRAMP authorization, but they did not have a federal agency sponsor. Program authorization will be an avenue for them to achieve FedRAMP authorization without a sponsor. It will take some time for the FedRAMP PMO to develop a methodology for program authorizations, but once they do, it is expected that this authorization path will be in high demand and will be a significant catalyst to increase the number of FedRAMP authorizations. The biggest challenge I foresee is being able to keep up with the demand.
“Other” FedRAMP Authorizations
“Any other paths to authorization,” is at this point, a bit of an unknown. Because of the potentially significant demand for program authorizations, the FedRAMP PMO will need to identify any other authorization paths that will be able to take the pressure off of the demand for program authorizations. We’ll have to wait and watch as the other authorization paths to achieve a FedRAMP authorization take shape. Rest assured, whatever other authorization path is developed, it will still be a rigorous process that demonstrates a presumption of adequacy and allows federal agencies to determine acceptable risk for their agency.
Summary – FedRAMP Authorization Achieved!
The release of the OMB Memo M-24-15 was significant for a number of reasons, one of which is it expanded the scope of how CSOs can achieve a FedRAMP authorization. Agency authorizations are and will likely remain the mainstay of FedRAMP authorizations in the marketplace. The introduction of program authorizations is a significant and very welcome path to achieve authorization, and the demand for program authorizations is anticipated to be high.
Thankfully other authorization paths will also be developed and made available to CSPs in addition to agency and program authorizations. Despite the three paths outlined to achieve a FedRAMP authorization, all CSOs will receive a single authorization status of “FedRAMP Authorized.” The future seems bright for the overall FedRAMP program and those CSPs wanting to provide services to the federal government.
If you would like to learn more about how Linford and Company can assist your organization regarding FedRAMP assessment services, please contact us.
If you are looking for additional information regarding FedRAMP, read our other blog posts here:
- What is FedRAMP Compliance? Requirements, Process, and More
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP vs. FISMA: What You Need To Know
This article was originally published on 11/17/2018 and was updated on 10/2/2024.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.