Overview
Background
Burning Question
Overview
Everyone can see the seismic shift happening over the last few weeks within the federal government. In all our conversations with people inside and outside the federal government, all recognize there are opportunities to improve efficiency. However, when there are talks of dismantling a proven cloud security program, that one is certainly puzzling. The mission of the FedRAMP program has always been to provide a uniform approach for security assessment, authorization, and continuous monitoring for cloud service providers (CSPs) delivering services to the government. At its core, the evolution of the FedRAMP program (more outcome based security) needs to evolve, carefully balancing industry best practices aligned to the government’s mission.
Background
Since 2011, the mantra of Federal Risk and Authorization Management Program (FedRAMP) has been to “do once, use many times.” FedRAMP does this by having cloud service providers (CSPs) engage with an accredited third-party assessment organization (3PAO) to conduct a comprehensive security assessment. This assessment is then provided to FedRAMP and Government agencies so they can perform a risk review to determine if they would like to store, process, or transmit federal data within that CSP’s cloud service offering. What may not be known to everyone though, is that the cost of CSP preparation and assessment activities for FedRAMP is not paid for by the government. If a CSP wants to sell their cloud service offering to the federal government, they must ensure the environment meets the requirements, prepare the necessary documentation, and engage with a 3PAO to conduct the independent assessment.
The burden of FedRAMP costs falls mainly on the Cloud Service Provider.
A government agency will only participate in the FedRAMP process at assessment completion to review the package. The FedRAMP Program Management Office (PMO) gets involved afterwards to validate the package is complete. Per the Federal Procurement Data System (FPDS), the Noblis annual contract value to support and operate the FedRAMP PMO is just shy of $8M. This contract provides the necessary support to process and maintain FedRAMP security packages that can be leveraged as many times as necessary by all Government agencies. Other than the cost to run the FedRAMP PMO via the Noblis contract, Government agency involvement results in little to no expense.
Prior to FedRAMP, federal security compliance was mainly validated via Federal Information Security Management Act (FISMA) security assessments. This was the only game in the federal space, as any system that housed federal data was required to undergo a certification and accreditation (C&A) review to validate the security posture of the system housing the federal data. As cloud computing gained momentum, organizations like Microsoft, Amazon, Google, etc. started doing C&A assessments against their offerings to satisfy the FISMA requirements. But doing this same C&A assessment for one, five, or even twenty-five agencies in the same year became a major burden on the CSPs and something they could not scale to support. Further, the cost of each assessment was paid for by the federal agencies, not the CSP, like it is now with FedRAMP. Now, THAT was wasteful. Without FedRAMP, we’d have federal agencies paying for each of their assessments of a cloud service offering.
The Cloud Service Provider Advisory Board (CSP-AB) recently published an article around FedRAMP. Within it, they cited a recent GSA Fiscal Year 2025 Congressional Justification summarizing the following:
FY2025 Congressional justification revealed FedRAMP has saved taxpayers an estimated $700M in one-off agency assessment costs.
This is exactly the type of program that should remain to support the federal government, one that not only provides assurances that data is securely processed, stored, and maintained within commercial offerings, but one that is paid for by commercial entities to save the Government time and money. Furthermore, FedRAMP’s use of accredited 3PAOs who meet high testing standards to perform these assessments helps ensure a comprehensive and independent assessment is conducted. The rigor of what is reviewed and validated by a 3PAO is far greater under FedRAMP than what was in the FISMA space, allowing government-wide reuse to be a reality. And the cost for the assessment is, again, paid for by the CSP, not the Government.
Burning Question?
So why would we ever consider removing or greatly modifying a program that ensures IT systems are comprehensively assessed, is paid for primarily by commercial entities, and saves the Government a massive amount of time and money? I can only imagine there is pressure from within to find efficiency somewhere. If that’s the case, here is where we would start:
#1 – FedRAMP PMO Maintains Policy Role – this is already happening with the FedRAMP PMO as they fine-tune their mission. One change that has been floated was to remove the FedRAMP PMO package completion reviews that previously created a bottleneck and lead to long delays in package approvals. Fortreum agrees that a change must happen to shorten the time to authorization, so one recommendation we have is to eliminate the package completion reviews for initial and annual assessments for systems below the High baseline but leave FedRAMP PMO reviews in place for those categorized at High. Another option is to centralize the hyperscale providers for their reviews due to the government-wide use of these providers. Adjusting the mission will allow the FedRAMP PMO to focus on being the gatekeeper of all governance while letting the 3PAOs conduct the assessments and the Agencies do their own risk analysis to determine if they want to grant an authorization to a specific cloud service offering.
#2 – Role of the 3PAO – 3PAOs play a major role in conducting the security assessment of the cloud service offering. This is key to uncovering any vulnerabilities within the offering and presenting that risk to the Government agencies. While it may not be widely known, 3PAOs are required to adhere to International Organization for Standardization (ISO) 17020, as well as the FedRAMP-specific requirements set forth by the American Association for Laboratory Accreditation (A2LA) in their R311 publication. This includes personnel certifications for assessors, minimum continuous professional education credits in key areas, and participation records from the Baltimore Cyber Range amongst a slew of other requirements. This is all to ensure 3PAOs can perform quality FedRAMP assessments of these commercial CSPs. If there are concerns about a specific 3PAO’s abilities or deliverables, then the independent validator of 3PAOs (currently A2LA) should step in to perform more detailed reviews of the work the 3PAO is performing. As it currently stands, A2LA performs a comprehensive initial audit of every candidate 3PAO and then performs a surveillance-type audit the next year, followed by a full renewal audit the subsequent year. To provide CSPs, Government agencies, and taxpayers with additional assurances on the quality of work performed by 3PAOs, we would recommend a full audit be performed annually for 3PAOs to maintain their accreditation. Another area that can be explored is leveraging the 3PAO for the ongoing continuous monitoring activities of fully authorized systems. While this would eliminate the burden/cost of performing this function by the government, it merely shifts the cost to the CSP. With the 3PAO already versed in the CSP’s scanning activities, significant efficiencies should be realized in the amount of time required to perform these monthly validations.
#3 – Remove FedRAMP Sponsorship Path Requirement – The only way to currently get on the FedRAMP Marketplace without an agency sponsor is to undergo a readiness assessment. However, this readiness assessment addresses only a fraction of the required controls of the full assessment to determine if key areas are met. Why not remove the sponsorship altogether? This is by far the biggest hurdle that smaller CSPs face. It’s not the actual requirements that they can’t meet but finding that one agency to take a chance on them. If that hurdle is removed, CSPs no longer must sit and wait for buy-in to proceed with FedRAMP. They can immediately engage with a 3PAO to conduct a FedRAMP assessment, which will be conducted the same way and to the same requirements, regardless of whether they have an agency sponsor. Once the assessment is complete and if the results are favorable, the CSP could be listed on the Marketplace as having a provisional authorization. To avoid the pitfalls of the previous iteration of CSP-Supplied assessments, Fortreum recommends that FedRAMP mandates that all CSPs who maintain a provisional authorization must have a 3PAO validate monthly continuous monitoring activities are taking place. Then, when an agency comes forward to grant an authorization, that provisional authorization is changed to a full authorization and the continuous monitoring requirement can be lifted.
#4 – Broader Industry Engagement – By engaging with the CSP and 3PAO community, you will quickly see that everyone understands the value the program brings to the federal government. FedRAMP is the industry high bar framework that other entities want to mimic. You can look at StateRAMP, which provides a similar framework to CSPs looking to sell to state and local entities and includes a FedRAMP reciprocity option. Canada’s new Information Technology (IT) Security Assessment framework, based on FedRAMP, also has a reciprocity option. Then there’s the Cybersecurity Maturity Model Certification (CMMC). While CMMC is based on National Institute of Standards and Technologies (NIST) Special Publication (SP) 800-171 rather than NIST SP 800-53, it too has an overlap with FedRAMP, including the introduction of FedRAMP equivalency. If the federal government is seriously considering modernizing legacy infrastructure as part of its digital modernization, then migrating to the cloud is something that should be top of mind for discussion. FedRAMP is and needs to be the heart of that. However, with that said, there should be a hard look at the actual requirements to see if they are all in fact needed. After performing FedRAMP assessments for 10+ years, there are many redundant security controls that could be eliminated to reduce the baseline without negatively compromising security. In doing this, we can also bring the costs down for the CSP community for both preparation and assessment activities. No one in the FedRAMP space wants new products to be introduced to agencies without the proper assurances that the offerings are secure. Taxpayers deserve to know that the systems storing, processing, and transmitting federal data are properly secured and maintained. That is what FedRAMP does and should continue to do, while at the same time serve as a mechanism for bringing new technologies to the forefront to replace legacy Government IT. There’s efficiencies to be gained within the program, and we encourage FedRAMP leadership to work with industry (CSPs and 3PAOs) to find a middle ground and evolve this program to the next level.
Sources:
- Noblis FedRAMP PMO contract: https://www.fpds.gov/common/jsp/LaunchWebPage.jsp?command=execute&requestid=242198374&version=1.5
- S. General Services Administration Summary of the Fiscal Year 2025 Congressional justification: https://www.gsa.gov/system/files/01.%20FY2025%20CJ%20Summary%20Narrative_Final.pdf
- CSP-AB – Unleashing Government Efficiency: Why a Fully-Resourced and Modernized Cloud Authorizing Entity is Key
- A2LA R311 Specific Requirements: federal Risk and Authorization Management Program (FedRAMP): https://a2la.qualtraxcloud.com/ShowDocument.aspx?ID=5621
+++++
Fortreum is an independent firm specializing in audit, advisory, and technical testing services, delivering cybersecurity expertise in highly regulated industries. Our mission is to simplify cloud and cybersecurity challenges for our clients. With nearly 25 years of combined experience in both the public and private sectors, Fortreum is dedicated to addressing our customers’ complex cloud and cybersecurity needs.
For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
