To conclude our series of cybersecurity areas to focus on in 2023 for those who do business with the Federal government, we look at the FedRAMP and StateRAMP developments from 2022. For the rest of this series, see our prior articles (Part One, Part Two, Part Three, and Part Four).
FedRAMP Authorization –The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act was signed into law as part of the FY23 National Defense Authorization Act. The Act officially codified FedRAMP as the definitive standardized security assessment and authorization program for federal procurement of cloud products and services. To encourage further agency adoption of FedRAMP, the Act includes a “Presumption of Adequacy” which states that a FedRAMP authorization package is presumed adequate for any agency authorization. This allows an agency to use a FedRAMP authorized offering without having to conduct any additional review. FedRAMP is also directed to establish a means for the automation of security assessments and reviews. These measures should further reduce barriers for agency adoption of cloud services and products.
The Act subjects the FedRAMP program to additional rulemaking requirements – any proposed FedRAMP guidance or directives that may have an impact on cloud service providers must undergo a public comment period. Additionally, the Act also calls for the creation of two advisory boards that will provide additional guidance to the program: the FedRAMP Board, consisting of federal stakeholders, and the Federal Secure Cloud Advisory Committee, comprised of federal and industry stakeholders.
FedRAMP, Revision 5 Baselines – In early 2022, FedRAMP was in the process of updating its standards to better align with NIST SP 800-53, Revision 5 standards. FedRAMP planned on releasing a draft of the new FedRAMP Revision 5 baseline standards for public comment, but has been notably silent since spring 2022. In Fall 2022, FedRAMP sought additional public comment on updating the Authorization Boundary Guidance. You can read our article about the rulemaking for the Authorization Boundary Guidance here.
StateRAMP – Modeled after the FedRAMP program, the State Risk and Authorization Management Program (StateRAMP) provides a common standard and model for states and local governments to verify that cloud products and services have appropriate security controls in place. In 2022, Arkansas, Colorado, Maine, Nebraska, North Dakota, Vermont, and West Virginia joined StateRAMP as participating government members, bringing the number of StateRAMP participating organizations to 23. The National Association of State Procurement Officials (NASPO) announced the addition of StateRAMP as a strategic partner to “help its members achieve success as public procurement leaders in their states” through the development of educational content and resources for state governments.
Putting it Into Practice – What to expect in 2023: We expect that FedRAMP and StateRAMP programs will continue to gain traction as adoption of these programs becomes more widespread. We continue to eagerly await the release of the FedRAMP, Revision 5 baselines and any updates to the Authorization Boundary Guidance.