Software industry group offers FedRAMP wishlist to OMB, GSA

The Alliance for Digital Innovation wants the federal government to use the FedRAMP Authorization Act to “reimagine” the program and address what it says are longstanding problems with insufficient funding and barriers to entry for cloud providers. 

FedRAMP, established in 2011, is a government-wide cybersecurity assessment, authorization and continuous monitoring program that certifies the security of cloud services that federal agencies can use. 

Congress recently passed the FedRAMP Authorization Act as part of the fiscal 2023 National Defense Authorization Act, codifying the program and including measures meant to promote its use such as a cloud advisory committee and FedRAMP board, as well as directions for the Office of Management and Budget to issue FedRAMP guidance.

But the Alliance for Digital Innovation, a software technology trade group, said in a Feb. 1 letter to OMB director Shalanda Young and General Services Administration leader Robin Carnahan that the law “is an opportunity for the administration to develop a policy that allows FedRAMP to grow and change with the needs of government at the speed of technological innovation.”

The association offers a list of priorities it wants GSA and OMB to consider as they implement the legislation. The group wants the program to allow “federal agencies to manage their risk while lowering the barrier to entry for commercial, modern cloud solutions,” Ross Nodurft, executive director of the association, said in a statement. 

“The administration has a clear remit from Congress to invest in the program and build a risk management structure that can support rapid, robust digital transformation and movement to cloud services,” he said.

One ask is for OMB and GSA to create incentives for agencies to sponsor FedRAMP authorization for cloud service providers, something that can be “a time-consuming and resource-intensive process for authorizing officials,” the letter says. OMB and GSA might consider funding, personnel support and public recognition for agencies. 

The letter also asks for OMB and GSA to appoint and fund a FedRAMP coordinator at each agency who would help agency officials that want to onboard a new cloud product.

The group also asks for government to make it easier for small cloud businesses to enter the federal marketplace with things like grants to pay for third-party assessments, and to encourage agencies not to default to higher levels of security controls, but instead tailor risk management – something that would make agencies more nimble, the letter states.

“The public and private sectors need to work closely together to develop a policy that encourages agencies to make risk-based decisions based on security threats and not perceived oversight,” the letter said.

The group’s concerns about underutilization of the program also surfaced in a 2019 report by the Government Accountability Office, which found that 15 of 24 agencies it surveyed did not always use FedRAMP to authorize cloud services, with interviewees pointing to resource challenges in complying with the program and confusing guidance.

The Alliance also calls for new security compliance programs to build in reciprocity with FedRAMP. The letter points to the Defense Department’s Cybersecurity Maturity Model Certification as a place where this would “reduce the administrative burden for the government and the compliance burden of the cloud companies, and allow agencies to more quickly comply with these new security policies.”

Other requests in the letter include the creation of a governance structure for the technical review process; public lists of authorities to operate issued by each agency for cloud service providers; changes meant to “open the marketplace” to cloud solutions still in the process of becoming eligible for FedRAMP authorization and more.

As for funding these changes, the alliance suggests that GSA tap into the recent funding boost and cross-agency funding tool given to GSA in the latest appropriations package.

“The FedRAMP Authorization Act and the accompanying money from Congress represent the beginning of long needed investments in the FedRAMP Program,” said Nodurft.