The New FedRAMP Policy — Is It Enough?

FedRAMP, which started as an effort to accelerate the adoption of cloud technologies in 2011 became an albatross of bureaucracy around companies seeking to enter the Federal market, especially small businesses who could not afford the long waits and expensive consultants necessary to achieve FedRAMP authorizations. Worse, these authorizations were often not enough for many Federal customers requiring more paperwork and changes with each new Federal customer.

To address these concerns, Congress passed the FedRAMP Authorization Act in 2022, formalizing the FedRAMP program while also requiring modernization. Pursuant to the new law, the Office of Management and Budget published a draft policy for public comment. If you’re interested, comments are due on November 27, 2023. Today, on behalf of my company Defense Unicorns, I submitted the following comments:

Public Comments on Updated FedRAMP Policy

I am writing on behalf of Defense Unicorns, a leading provider of platform technologies that empower rapid and reliable delivery of capabilities across diverse mission areas. Our open architecture platforms ensure secure, scalable mission systems that champion flexibility and the integration of emerging technologies while avoiding vendor lock-in. This is made possible by the deep expertise and dedication of our team, which consists of innovators, software engineers, and veterans with a wealth of experience in technology programs within the Department of Defense and the broader federal market.

We applaud the proposed FedRAMP policy’s emphasis on automation and the transition toward the delivery of security artifacts in a machine-readable format. These changes represent a significant step forward in modernizing the framework and align with best practices that Defense Unicorns and many others in the tech industry have long advocated for. We are also enthusiastic about the policy’s emphasis on ending incentives to maintain separate offerings for government and private-sector services.

However, we believe that the policy does not fully address some systemic issues that have historically hindered FedRAMP’s effectiveness. Specifically, the program has been criticized for its protracted processes and substantial expense which often makes FedRAMP authorization unattainable for small businesses. While the updated policy introduces elements that may improve these aspects, there appears to be a lack of bold reforms needed to revolutionize the speed and cost-efficiency of the program.

Furthermore, the introduction of a new government-only committee, the Technical Advisory Group (TAG), that is not mandated by law raises concerns about potential redundancies and inefficiencies, especially when considering the recent creation of the Federal Secure Cloud Advisory Committee (FSCAC) and the by-law creation of the FedRAMP Board. The policy must delineate clear, distinct roles and justifications for any additional committees to ensure they provide unique value and do not duplicate efforts or complicate the governance structure within an already confusing process.

Finally, while the policy nods to industry engagement, it lacks a mechanism to formalize this collaboration. Except for five members of the FSCAC, the FSCAC, FedRAMP Board, and proposed TAG are all comprised exclusively of government employees. This composition appears to be a significant oversight, considering the valuable perspectives and expertise that industry professionals can offer.

As a company deeply invested in the success of government technology programs, we offer the following recommendations to better align the proposed FedRAMP Policy with its own stated goals and the goals expressed by the FedRAMP Authorization Act:

Transform the Technical Advisory Group (TAG) into an Industry Advisory Board: The creation of the TAG as a formal entity appears redundant with the FedRAMP Board and risks unnecessary complications and delays in making decisions and policy recommendations. Moreover, permitting only government employees to serve on the TAG limits valuable external perspectives. Accordingly, we recommend the TAG be transformed into an industry advisory group with at least 50% of its membership coming from small business concerns. This change will better address the policy’s stated goals of industry engagement (page 16) and provide actionable recommendations to inform the by-law reporting requirement relating to “[t]he unique costs and potential burdens incurred by cloud computing companies that are small business concerns” (44 USC § 3615(b)(4)).

Explicitly Endorse Open Architectures and Vendor Neutrality: While the new policy explicitly requires machine-readable security documentation, we believe it should go a step further and explicitly recommend the use of open standards, like NIST-developed OSCAL, to enable a more dynamic and competitive marketplace that benefits all stakeholders. By not having a suggested standard, the policy risks causing chaos and confusion. Naming a specific recommended standard serves the policy’s stated goal of “offering a consistent and reusable authorization process.”

Incentivize True Continuous Monitoring: The updated FedRAMP policy states that the “review process should consistently assess and validate the core security claims made by a cloud provider.” It further provides that “FedRAMP’s continuous monitoring process should incentivize security through agility.” Modern technology now permits certain security controls within systems to be assessed for compliance in near real-time. Cloud Service Providers (CSP) who implement continuous automated monitoring reduce the burden of manual reporting and increase security through real-time threat assessment and response. FedRAMP policy should provide incentives, such as expedited processing, for CSPs who implement true continuous monitoring.

Set, Measure, and Improve Goals Related to Automation, Cost, and Efficiency: We suggest the FedRAMP policy make explicit provisions for benchmarking related to automation, cost, and efficiency. We propose the policy include key metrics to regularly measure against industry standards and best practices. This could be vital to ensuring continuous improvement and adaptability of the FedRAMP process. Measures of efficiency should also include the number of new approvals that meet the FedRAMP policy goal of “[l]everag[ing] shared infrastructure between the Federal Government and private sector.”

We envision these amendments paving the way for a FedRAMP framework that embodies agility, cost-effectiveness, and robust security. Defense Unicorns is eager to contribute to this discourse and welcomes further dialogue to refine these recommendations. We are optimistic that together, we can enhance the FedRAMP policy to better serve all stakeholders.

Thank you for considering our comments on the proposed policy changes.

Sincerely,

REBECCA K. LIVELY

Defense Unicorns