Authorization Paths in the New FedRAMP OMB Memorandum

In the ever-expanding cosmos of cloud computing, the Federal Risk and Authorization Management Program (FedRAMP) is the primary standard for cloud service providers working with federal agencies. Recognizing this, the Office of Management and Budget (OMB) has released a draft memorandum to revitalize FedRAMP, signaling a pivotal transformation to enhance the program’s efficiency, agility, and responsiveness to modern security threats. 

This article will explore the newly proposed authorization paths for FedRAMP, how they differ from the previous standard, and what that might mean for cloud products and providers. 

What Is the New OMB Draft Memo?

The new draft memo from the OMB heralds a significant modernization effort for FedRAMP, shaped by the need to keep pace with the rapid advancements and diversifying architectures in cloud technology. The memo’s updates are not mere tweaks but foundational reforms structured to refine and revitalize the authorization process. At its core, the memo aims to streamline the path to compliance for cloud service providers, making it less arduous and more attuned to the nuances of the contemporary cloud market.

Several key themes emerge from the memo, reflective of broader strategic goals:

• Streamlining Authorization: The memo suggests a more efficient process for obtaining FedRAMP authorization, potentially reducing the complexity and duplication of efforts that providers currently face.
• Threat-Based Security: Emphasizing a pivot towards threat-based security analyses, the memo aligns FedRAMP with the dynamic nature of cyber threats, ensuring that security baselines are responsive to the latest intelligence.
• FedRAMP Marketplace Enhancements: The memo envisions an upgraded FedRAMP Marketplace designed to handle a higher volume of cloud service offerings and to facilitate easier discovery of authorized products and services.
• Automation and Collaboration: There’s a straightforward drive toward leveraging automated tools to accelerate the authorization process, coupled with an increased emphasis on collaboration between government and industry stakeholders. This is a nod to the potential of technological innovations to streamline security assessments and maintain continuous monitoring.
• Inclusivity in the Marketplace: The memo also touches on the “FedRAMP Ready” designation, which could be retooled to assist small or economically disadvantaged businesses in entering the competitive federal market.

In essence, the OMB’s draft memo on FedRAMP aims to recalibrate the program for a new era where efficiency, adaptability, and partnership between the public and private sectors are paramount. It’s a promising blueprint for a more secure, accessible, and collaborative federal cloud ecosystem.

The (Proposed) New Paths to Authorization

The recent draft memo from the Office of Management and Budget (OMB) proposes innovative paths for FedRAMP authorization, each designed to build upon the traditional models while addressing their limitations and the changing dynamics of cloud technology. These proposed paths represent a significant shift in the FedRAMP authorization paradigm, aiming to make the program more responsive to the needs of both government agencies and cloud service providers. By introducing a more flexible authorization framework, the OMB and others seek to provide more providers, specifically providers of standalone SaaS applications, a way to work with the program productively. 

• Single-Agency Authorization: This path maintains the essence of the traditional Agency ATO but focuses on reusability and efficiency. It allows a cloud service that meets a particular agency’s standards to be used by other agencies with similar security needs, fostering a more cooperative federal cloud environment. This path could streamline the process for cloud service providers that have a solution tailored to the needs of one agency but could be beneficial to others.
• Joint-Agency Authorization: Evolving from the JAB P-ATO model, the Joint-Agency Authorization aims to facilitate a collaborative environment where multiple agencies work together to authorize a cloud service. This approach could significantly reduce the assessment burden on providers by creating a common security standard that satisfies a group of agencies, thereby expediting the adoption process across the government.
• Program Authorization: This innovative path allows the FedRAMP Program Management Office to authorize cloud services that are expected to have widespread use across federal agencies. This centralizes the authorization process, potentially reducing redundancy and accelerating the approval timeline for popular cloud solutions.
• Other Types of Authorization: The memo also introduces the possibility of alternative authorization methods that the FedRAMP PMO and the FedRAMP Board can establish. These methods are designed to be flexible and could include preliminary authorizations that allow federal agencies to trial cloud products and services for a defined period.

The Traditional FedRAMP Authorization Paths

Anyone familiar with the traditional FedRAMP Authorization standard will immediately see some differences between the new and old standards. 

• Agency Authority to Operate (ATO): The ATO has been the primary route for cloud service providers to gain FedRAMP approval. In this path, a provider partners with a federal agency that agrees to sponsor the authorization process. The agency conducts a security assessment by FedRAMP standards and, if the service meets these standards, grants an ATO that signifies the cloud service is authorized for use. 
• Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO): The P-ATO offered an alternative to the ATO. Instead of a single agency sponsor, cloud service providers could opt to go through the JAB. The JAB P-ATO served as a preliminary approval, indicating that a cloud service’s security package had been reviewed and provisionally approved by the board, thereby simplifying the process for subsequent agency-specific authorizations.

These paths have enabled numerous cloud service providers to enter and serve the federal marketplace, with each path presenting its own set of challenges and benefits. 

While the ATO process provides a direct route to authorization tailored to a single agency, the JAB P-ATO offers a broader stamp of approval that could facilitate quicker adoption across multiple agencies. However, both paths have faced criticism due to their complexity, which often leads to costly and sometimes redundant labor on the provider’s part.

Are You Ready for Changes to FedRAMP?

The Office of Management and Budget’s draft memo on FedRAMP marks a seminal moment in the evolution of cloud security governance for the federal government. For federal agencies, the modernized paths promise access to a broader suite of secure, cutting-edge cloud solutions that can enhance their operational effectiveness and service delivery to the public.

Thinking ahead to your responsibilities under the evolving FedRAMP standard? Work with Lazarus Alliance to stay up-to-date.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→