Every year, Congress passes a new National Defense Authorization Act (NDAA) laying out the U.S. Department of Defense budget and priorities. More than eleven years after its inception, the 2023 NDAA places a renewed spotlight on the Federal Risk and Authorization Management Program (FedRAMP), finally giving teeth to the Program. Newly codified in the NDAA, FedRAMP is now poised to streamline the government’s ability to procure secured cloud computing services and platforms and to modernize federal IT systems across the board. This FedRAMP focus is further enforced by the Pentagon’s FY2023 supersized $9 Billion award in cloud computing contracts to FedRAMP-approved tech giants including Google, Amazon, Microsoft and Oracle to support its Joint Warfighting Cloud Capability. Given the government’s appetite for increased security and demand for cloud computing, perhaps the renewed focus is both expected and warranted.
Paramount among the FedRAMP Authorization Act practical wins for government contractors providing cloud computing is the “presumption of adequacy.” This provision, summed up by Representative Connolly’s tagline, “certify once, reuse many times,” solidifies the long-standing vision of the government adopting uniform cloud computing security standards and policies. Cloud providers with authorization from one agency can now use that authorization with other agencies without contending with disparate standards and requirements. Streamlined processes for the agencies means streamlined dividends for cloud providers, creating what we hope is a win-win solution for all.
Here are some practical implications and considerations cloud providers and partners should be aware of in the short and long-term as the FedRAMP Authorization Act is carried out by the General Services Administration (GSA), Office of Management Budget (OMB), and advisors thereof.
- The cost to become FedRAMP certified should come down.
- Due to decreased cost and level of effort required to certify, the cloud provider landscape and product offerings may change including the companies we currently see partnering together which may have previously formed partnerships to achieve scales of economy.
- Guidance will follow from the OMB on the scope of FedRAMP including products and services falling under FedRAMP’s purview, requirements for agency authorization, and the FedRAMP authorization process.
- An alignment among agencies is not immediate, and will follow OMB’s guidance.
- Security assessments and reviews will become automated.
- Additional rules parsing the shared responsibility model will bring into sharper focus which responsibilities fall under either the cloud provider or government’s purview to eliminate security concerns.
- Authority to Operate requirements are not going away.
- Additional public commenting periods are expected as to any rules promulgated as a result of the FedRAMP Authorization Act and cloud providers should be ready to engage directly or through counsel.
The Morris, Manning & Martin, LLP Government Contracts team continues to closely track FedRAMP developments, rulemaking, and requirements and is available to advise clients as the compliance landscape continues to shift and develop.
