During the last week of October 2023, everyone in the industry was waiting with baited breath for news about CMMC 2.0. The rule, which was submitted to OIRA on July 24th, will either become a final interim rule or it will be a proposed rule, which means approximately one more year of public comment. Almost as if the Office of Budget Management was trying to slip something under the radar, a draft memo was released on October 27th regarding an update to FedRAMP. 

FedRAMP has been mentioned often in discussions of NIST SP 800-171 and CMMC 2.0 over the last year. What is happening now?

What is FedRAMP?

FedRAMP (Federal Risk Authorization Management Program) was published in 2011 by the Office of Management and Budget (OMB).  It was created to help federal agencies evaluate cloud-based products and services. The idea was to have a series of controls against which cloud products could be measured.

Why was FedRAMP created?

According to the OMB itself, there was a need in 2011 to expand beyond securing physical properties and services. There was a need to expand scrutiny to the cloud computing sector, and FedRAMP helped to answer that call.

What is happening with FedRAMP now?

As was mentioned above, while everyone was turned toward NIST/CMMC rulemaking, the OMB released a draft memo regarding updates to FedRAMP. In the words of the memo, “The proposed guidance would define the scope of cloud products subject to FedRAMP, set requirements for agencies to use FedRAMP-authorized services, outline the responsibilities of the FedRAMP Board and the FedRAMP Program Management Office (PMO), and promote a transparent and consistent process for the issuance of security authorizations for cloud services."

When Will These Updates Go Into Effect?

Right now the only timeline that has been set is that for public comments. Public comments are now open and will remain so until November 27 (one month from the publication of the memo. Leave your public comments if you want your opinions to be considered.

What Impacts Will These Proposed Changes Have?

The draft document specifically outlines who these updates will impact. Included in the list are:

• Commercially offered cloud products and services (such as Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service) that host information systems that are operated by an agency, or on behalf of an agency by a contractor or other organization;
•  Cross-Government shared services that host any information system operated by an agency, or by a contractor of an agency or another organization on behalf of an agency.

Social media is listed as an example of a cloud-based platform in which federal information may or may not be allowed to be communicated.

Access the full document and read it carefully. This is an important proposed update to FedRAMP with many facets to it.