FedRAMP Loves Compliance as Code: Insights from the OMB’s Recent Memo

Today, July 26, 2024, the Office of Management and Budget (OMB) released a memo on their plans to modernize the FedRAMP program titled Modernizing the Federal Risk and Authorization Management Program (FedRAMP).
 
This memorandum rescinds the Federal CIO’s December 8, 2011 memorandum and replaces it with an updated vision, scope, and governance structure for FedRAMP that is responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace since the program was established.

What’s new in the OMB’s recent memorandum about FedRAMP? 

Let’s start with applauding the OMB on this initiative! It is clear that FedRAMP is building on its past successes towards something even more impactful on cloud security across the Federal government.

Below are a couple of highlights that caught our attention regarding the OMB’s recent memo:

• Beyond FedRAMP, the OMB is opening the door to other certifications, especially at the Low FIPS classification level.
• OMB is doubling down on the presumption of adequacy
• The OMB is also moving away from separate GovCloud environments and focusing on commercial solutions. This is a major win for cloud service providers to gain access to more of the government.
• The OMB is also focusing more on threat and high-risk controls versus general compliance.
• And finally, the OMB’s vision is to focus on automation through machine-readable Risk Management Framework (RMF) documents.

The last piece is more important than anything, with OMB focusing on automating RMF documents in machine-readable formats. Hello, compliance as code! Finally, we have our first compliance as code mandate for OSCAL.  

And why are we so excited about the new direction of FedRAMP?

This path forward keeps all the goodness of the past while addressing many of the pain points from government and industry feedback. From our perspective, the only thing it is missing is removing the requirement for an agency sponsor.  We would love to see FedRAMP take an approach where the industry pays the FedRAMP PMO a fee for processing their certification package – allowing for cost recovery by the PMO and reducing the burden on the taxpayer – and removes a significant obstacle to getting started for the smaller Cloud Service Providers (CSPs). Aside from that remaining issue, we could not love this direction more. 

FedRAMP and NIST are automating the process

FedRAMP and NIST have now formalized what many in the industry have believed for years. The current manual, paper-based compliance processes were not built for a cloud-native world that moves at light speed. The only answer to this problem at scale is automation, and the only basis for automation is a focus on machine-readable formats that allow for automated assessments and a foundation for training AI models to eliminate manual stare and compare exercises. This is where the visionary work of the NIST and FedRAMP OSCAL teams comes in. Their development of OSCAL as a machine-readable foundation (formats like XML, YAML, and JSON) for automating assessments opens a whole new world of possibilities for modern ATO processes.

As the world’s first OSCAL-native Continuous Controls Monitoring (CCM) platform, RegScale is excited to see the efficiencies and risk reduction this approach will deliver as it makes its way across all of government. There is finally light at the end of the Authority to Operate (ATO) tunnel and FedRAMP and NIST shine the flashlight.

Not sure where you can get started with OSCAL?

Step in and evaluate the growing number of OSCAL solutions in the market and build your plans for ATO automation with compliance as code. From OSCAL to SBOM to OCSF, the opportunities for automation grow every day, and we keep getting one step closer to a world where ATOs are easy, self-updating, and real-time, resulting in lower costs and an improved risk posture for the government.

Reach out to RegScale to learn more about OSCAL and how it can accelerate your FedRAMP and ATO path.