Authorization Paths in the New FedRAMP OMB Memorandum

In the ever-expanding cosmos of cloud computing, the Federal Risk and Authorization Management Program (FedRAMP) is the primary standard for cloud service providers working with federal agencies. Recognizing this, the Office of Management and Budget (OMB) has released a draft memorandum to revitalize FedRAMP, signaling a pivotal transformation to enhance the program’s efficiency, agility, and responsiveness to modern security threats. 

This article will explore the newly proposed authorization paths for FedRAMP, how they differ from the previous standard, and what that might mean for cloud products and providers. 


What Is the New OMB Draft Memo?

The new draft memo from the OMB heralds a significant modernization effort for FedRAMP, shaped by the need to keep pace with the rapid advancements and diversifying architectures in cloud technology. The memo’s updates are not mere tweaks but foundational reforms structured to refine and revitalize the authorization process. At its core, the memo aims to streamline the path to compliance for cloud service providers, making it less arduous and more attuned to the nuances of the contemporary cloud market.

Several key themes emerge from the memo, reflective of broader strategic goals:

  • Streamlining Authorization: The memo suggests a more efficient process for obtaining FedRAMP authorization, potentially reducing the complexity and duplication of efforts that providers currently face.
  • Threat-Based Security: Emphasizing a pivot towards threat-based security analyses, the memo aligns FedRAMP with the dynamic nature of cyber threats, ensuring that security baselines are responsive to the latest intelligence.
  • FedRAMP Marketplace Enhancements: The memo envisions an upgraded FedRAMP Marketplace designed to handle a higher volume of cloud service offerings and to facilitate easier discovery of authorized products and services.
  • Automation and Collaboration: There’s a straightforward drive toward leveraging automated tools to accelerate the authorization process, coupled with an increased emphasis on collaboration between government and industry stakeholders. This is a nod to the potential of technological innovations to streamline security assessments and maintain continuous monitoring.
  • Inclusivity in the Marketplace: The memo also touches on the “FedRAMP Ready” designation, which could be retooled to assist small or economically disadvantaged businesses in entering the competitive federal market.

In essence, the OMB’s draft memo on FedRAMP aims to recalibrate the program for a new era where efficiency, adaptability, and partnership between the public and private sectors are paramount. It’s a promising blueprint for a more secure, accessible, and collaborative federal cloud ecosystem.


The (Proposed) New Paths to Authorization

3PAO, FedRAMP, FISMA and NIST audit services from the experts at Lazarus Alliance. We are proactive cyber security.

The recent draft memo from the Office of Management and Budget (OMB) proposes innovative paths for FedRAMP authorization, each designed to build upon the traditional models while addressing their limitations and the changing dynamics of cloud technology. These proposed paths represent a significant shift in the FedRAMP authorization paradigm, aiming to make the program more responsive to the needs of both government agencies and cloud service providers. By introducing a more flexible authorization framework, the OMB and others seek to provide more providers, specifically providers of standalone SaaS applications, a way to work with the program productively. 

  • Single-Agency Authorization: This path maintains the essence of the traditional Agency ATO but focuses on reusability and efficiency. It allows a cloud service that meets a particular agency’s standards to be used by other agencies with similar security needs, fostering a more cooperative federal cloud environment. This path could streamline the process for cloud service providers that have a solution tailored to the needs of one agency but could be beneficial to others.
  • Joint-Agency Authorization: Evolving from the JAB P-ATO model, the Joint-Agency Authorization aims to facilitate a collaborative environment where multiple agencies work together to authorize a cloud service. This approach could significantly reduce the assessment burden on providers by creating a common security standard that satisfies a group of agencies, thereby expediting the adoption process across the government.
  • Program Authorization: This innovative path allows the FedRAMP Program Management Office to authorize cloud services that are expected to have widespread use across federal agencies. This centralizes the authorization process, potentially reducing redundancy and accelerating the approval timeline for popular cloud solutions.
  • Other Types of Authorization: The memo also introduces the possibility of alternative authorization methods that the FedRAMP PMO and the FedRAMP Board can establish. These methods are designed to be flexible and could include preliminary authorizations that allow federal agencies to trial cloud products and services for a defined period.



The Traditional FedRAMP Authorization Paths

Anyone familiar with the traditional FedRAMP Authorization standard will immediately see some differences between the new and old standards. 

  • Agency Authority to Operate (ATO): The ATO has been the primary route for cloud service providers to gain FedRAMP approval. In this path, a provider partners with a federal agency that agrees to sponsor the authorization process. The agency conducts a security assessment by FedRAMP standards and, if the service meets these standards, grants an ATO that signifies the cloud service is authorized for use. 
  • Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO): The P-ATO offered an alternative to the ATO. Instead of a single agency sponsor, cloud service providers could opt to go through the JAB. The JAB P-ATO served as a preliminary approval, indicating that a cloud service’s security package had been reviewed and provisionally approved by the board, thereby simplifying the process for subsequent agency-specific authorizations.

These paths have enabled numerous cloud service providers to enter and serve the federal marketplace, with each path presenting its own set of challenges and benefits. 

While the ATO process provides a direct route to authorization tailored to a single agency, the JAB P-ATO offers a broader stamp of approval that could facilitate quicker adoption across multiple agencies. However, both paths have faced criticism due to their complexity, which often leads to costly and sometimes redundant labor on the provider’s part.


Are You Ready for Changes to FedRAMP?

The Office of Management and Budget’s draft memo on FedRAMP marks a seminal moment in the evolution of cloud security governance for the federal government. For federal agencies, the modernized paths promise access to a broader suite of secure, cutting-edge cloud solutions that can enhance their operational effectiveness and service delivery to the public.

Thinking ahead to your responsibilities under the evolving FedRAMP standard? Work with Lazarus Alliance to stay up-to-date.

Lazarus Alliance