At the end of October, the federal Office of Management and Budget (OMB) released a draft memorandum for public comment titled Modernizing the Federal Risk Authorization Management Program (FedRAMP). For the people and teams that live, breathe and eat FedRAMP every day, this became BIG news overnight. OMB proposed to rescind the initial 2011 order that created FedRAMP in the first place, build the mandate anew, recreate large chunks of the authorization process, and introduce new automation practices—for security controls as well as the overall FedRAMP process—that have been dreamed of for years. For companies like Anitian that are advisors and tool providers this was big news. When we subsequently met with our 3PAOs partners like Schellman and A-lign, or our IaaS partners like AWS and Azure, the draft memorandum was a topic of almost every meeting.*
But this post isn’t actually for advisors or for 3PAOs or for platform providers.
Instead, this blog post is for the scores of SaaS companies that have innovative cloud-based products and services that are not yet known by government buyers.
This post is for companies whose SaaS products could provide real security, mobility, or productivity benefits to U.S. agencies or departments, but who haven’t started down a road many perceive as costly, fraught with potholes, and—between processes and deliverables and technology—almost unnavigable at times.
A Vision for Change
Two of the most interesting things about the OMB’s memorandum, at least to this reader, were its tone and its vision. When compared to the original 2011 memorandum, from then-federal CIO Steven VanRoekel, the new memo conveys a much more mature, thoughtful, “been-there-done-that” tone. Where the earlier memo conveyed a sense of adding security oversight to an unknown cloud journey (“establishing a public-private partnership to promote innovation and the advancement of more secure information technologies”), the recent memo contains a more business-like, risk-management focused seriousness: “FedRAMP must first and foremost be a security program.”
Gone from the 2011 memorandum is the vague sense that “There’s this cloud thing happening, and we’re uncertain where it’s going or what holes it will poke into our current security controls.” (I didn’t read it that way at the time, but a decade of hindsight can create an unearned feeling of smugness in people as well as programs.) Where the 2011 memo proposed that “a methodology” and “a mechanism” and “a framework” would be created to guide the new program, there was a sense that we were all—to paraphrase Indiana Jones—”Making this up as we go.”
But these methodologies and mechanisms and frameworks have all been created and tested in the last decade. They’re not perfect by any stretch, but they are constantly being improved and revised. We’ve invented and taught ourselves a new cloud-based language of security. Along with it we’ve learned how to measure the efficacy, value and shortcomings of security programs.
The updated memorandum seems to better understand the present moment, with both its profound threats and nascent but promising security controls, through a lens of maturity that wasn’t in the original. It’s not arrogant, but neither is it wide-eyed and innocent. It suggests we have a way to go but also that we’ve learned something from the Sunburst-Solar Winds attacks that hit Homeland Security, State, Commerce and Treasury in 2019 and ‘20. Not everything, clearly, but enough that we can say we reacted more quickly to this year’s Clop-orchestrated attack on federal users of the MOVEit utility.
In the updated memorandum, the OMB casts a vision of leading “an information security program grounded in technical expertise and risk management.” They also position that vision as being oriented on all of cyberspace, traversing both public and private sectors. It intentionally positions FedRAMP as “a bridge between industry and the Federal Government” and expects the resulting process to “thoughtfully navigate situations where unthinking adherence to standard agency practices in a commercial environment could lead to unexpected or undesirable security outcomes.”
Again, there’s a sense of maturity and purpose in that statement that didn’t really seem to be present in the document of a decade ago.
10X Growth in Marketplace Offerings
While FedRAMP has done a lot of things right in the last 12 years, it hasn’t scaled very well. An Anitian customer recently told me, frankly and anonymously, that “Any objective view of FedRAMP must call it a failure.” When I expressed surprise and asked why, the customer simply said “Three hundred ATO’d products? The government needs thousands.”
I couldn’t really argue with his logic, even if I didn’t agree with his choice of words.
Far more important than my view, it seems OMB agreed: “The FedRAMP marketplace must scale dramatically to enable Federal agencies to work with many thousands of different cloud-based services that can accelerate key agency operations while allowing agencies to directly manage a smaller IT footprint.” (Emphasis mine.)
Emily Cummins, Anitian’s director of compliance and security services, sees the clearly stated desire for growth as the one of most important parts of OMB’s update. “It feels like the center of gravity for the entire FedRAMP ecosystem has shifted, in a good way, towards the CSPs, the cloud service providers. If the initial focus was on getting IaaS platforms aligned with FedRAMP and getting 3PAOs to embrace their role, the new focus is all about building a critical mass of SaaS offerings for the FedRAMP marketplace.”
Cummins points to the language in the memo, calling for “many thousands” of SaaS offerings, as well as the intent shared in the PMO’s Zoom-based town halls on the subject: “They talk about a building a catalog of three thousand ATO’d SaaS products and services. And they’ve created new procedures and mechanisms to help that happen.” Cummins cited new pathways in the process, like multi-agency ATOs and 12-month trials for not-yet-authorized offerings, as examples of how OMB is looking for workable ways to increase the number of offerings without decreasing any one offering’s security posture.
If the FedRAMP PMO can increase the number of offerings at this scale, then the vision stated in the memo—of providing the federal government with an expansive, nimble and first-class security program—may become a reality in a couple short years. And if your company has an innovative, useful SaaS product that the government doesn’t know it needs yet, maybe now is the time to start on the FedRAMP journey.
More to Come
To be transparent and fair, Cummins thinks the two areas I’ve highlighted in this post—the FedRAMP vision and the 10X scale in offerings—are important takeaways from the memo… but maybe not the most important takeaways: “The focus on automation and the December 23 deadline for the PMO to declare a machine-readable standard for security authorizations and assessments is absolutely huge. Also, the new focus on red teaming and an ‘any time’ assessment of a CSP’s security state… these are massive changes.”
As is usually the case, Emily is right. So look for a follow-up blog post that unpacks some of the more technical aspects of the memorandum, as well as the security and procedural changes that will result.
*It actually made me nostalgic for water cooler conversations and breakroom hubub. When “Big Things” happen, impromptu Slack and Teams messages don’t convey nearly the same energy or sense of urgency.