Executive Order Hints at FedRAMP Alternatives

atomicstudio/iStock.com

The order calls for modernizing the cloud-security program and opens the door for other frameworks to be used for authorization.

The Biden administration's recently released cybersecurity-focused executive order mentions a key cloud security program known as FedRAMP several times as it emphasizes the need for federal agencies to quickly but securely adopt cloud computing. 

Section 3 of the executive order, titled “Modernizing Federal Government Cybersecurity,” states that within 60 days of the order, the General Services Administration in consultation with the director of the Office of Management and Budget and heads of other agencies shall begin modernizing the Federal Risk and Authorization Management Program. This includes “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.”

FedRAMP validates the security of cloud products—infrastructure, platforms, software applications—being sold to federal agencies. If a product meets FedRAMP’s controls, it gets certified with a provisional authority to operate, or P-ATO.

But it's no secret that FedRAMP—best intentions aside—has long served as a bottleneck to getting innovative cloud service offerings to federal system/mission owners and agencies. FedRAMP began in 2011, roughly a decade ago, and currently has about 225 authorized cloud service offerings listed on its marketplace. To put this in perspective, there are roughly 15,000 software-as-a-service companies in the market. 

FedRAMP timelines vary depending on several factors—some related to the cloud service providers themselves, and others related to the FedRAMP Joint Authorization Board and program management office, or sponsoring agencies. That said, general timelines for a FedRAMP JAB P-ATO can take seven to nine months to complete. Agency authorizations can take anywhere from four to six months to complete. Some cases have taken much longer than this. 

Part of the issue is that the FedRAMP JAB can only handle so many authorizations a year. On average, the JAB prioritizes 12 cloud service offerings each year. It evaluates cloud service offerings through a process called FedRAMP Connect, which they use to prioritize what cloud service offerings will be selected for the given year. 

Among other methods, the executive order opens the door for considering relevant compliance frameworks mapped to FedRAMP and allowing them to serve as a substitute for relevant portions of the FedRAMP process

With this clear challenge between the number of as-a-service offerings in the market and FedRAMP’s limited ability to scale to authorize, other compliance frameworks are being considered. But it’s yet to be determined what those alternative frameworks may be and what could be the challenges associated with them.

Some cybersecurity professionals have suggested one such alternative may be the Cloud Security Alliance’s Cloud Control Matrix (CCM), which provides 197 controls and 17 domains. It is also mapped to industry frameworks, including FedRAMP. However, some challenges associated with CCM is that it does not have the same third-party assessor rigor that FedRAMP has and allows for companies to self-attest their products meet the standards. 

There are also cascading effects of opening the door to FedRAMP alternatives within the defense industrial base. Defense companies have to deal with regulations such as the Defense Department’s vendor certification program called Cybersecurity Maturity Model Certification and acquisition rule 7012, which provides guidance to defense contractors using cloud services when dealing with covered defense information. There has been no shortage of talk of reciprocity between FedRAMP and CMMC. If FedRAMP opens the door for reciprocity with other control frameworks, this then creates a potentially transitive situation with anything FedRAMP would use as an alternative framework. In other words, if alternative frameworks are accepted in place of FedRAMP for federal cloud use, then theoretically FedRAMP alternatives would also potentially have reciprocity with CMMC. This creates a lot of questions and challenges for the Defense Department, the defense industry and CMMC that would need to be explored. 

While there are no easy answers, it is clear that the government's consumption and utilization of cloud service offerings are only accelerating and were further exacerbated by the COVID pandemic. Given this reality, it is clear that the current model of authorization and approval of cloud services simply hasn’t—and won’t—scale to meet the demand and creates a situation to explore alternative options. That said, alternatives can’t come at the expense of the security of federal and defense data. 

Chris Hughes is an industry consultant, an adjunct professor with the University of Maryland Global Campus and Capitol Technology University, and co-host of the Resilient Cyber podcast. He previously served in the U.S. Air Force, as a federal civilian with Naval Information Warfare Systems Atlantic, and as a member of the General Services Administration’s Joint Authorization Board for FedRAMP. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.