{"id":8623,"date":"2024-01-11T16:53:25","date_gmt":"2024-01-11T21:53:25","guid":{"rendered":"https:\/\/www.carahsoft.com\/wordpress\/?p=8623"},"modified":"2025-04-03T12:06:12","modified_gmt":"2025-04-03T17:06:12","slug":"carahsoft-fedramp-shift-to-modernized-cloud-security-framework-blog-2024","status":"publish","type":"post","link":"https:\/\/www.carahsoft.com\/wordpress\/carahsoft-fedramp-shift-to-modernized-cloud-security-framework-blog-2024\/","title":{"rendered":"Revitalizing FedRAMP: Navigating the Shift to a Modernized Cloud Security Framework"},"content":{"rendered":"

The Federal Risk and Authorization Management Program (FedRAMP) was created over a decade ago to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and service used by Federal agencies. Embracing the dynamic advancements in cloud technology, FedRAMP has recognized the importance of modernizing to keep pace with the rapid developments in the cloud landscape. The Office of Management and Budget (OMB) released a draft memorandum in October 2023 that outlined a comprehensive FedRAMP framework, emphasizing adaptability, automation and cooperation to address evolving cloud service requirements.<\/span>\u00a0<\/span><\/p>\n

An Opportunity for Modernization<\/span><\/b>\u00a0<\/span><\/h2>\n

As technology continues to evolve, so do the advancement opportunities in the realm of cloud security for Federal agencies. With the expansion of cloud offerings and the increasing demand for cloud-based services, FedRAMP is undergoing a significant overhaul to meet the changing landscape. The new OMB FedRAMP guidance will replace the original guidance published in 2011, a year in which the cloud security climate looked drastically different and less complex than today. Changes to address the evolving threat landscape include tools for enterprise collaboration, product development and improving an enterprise\u2019s own cybersecurity. Having already authorized more than 300 authorized services in the FedRAMP Marketplace, FedRAMP recognizes the need to add more solutions for agencies to have all the required capabilities to deliver on their missions.<\/span>[1]<\/span><\/p>\n

OMB aims to address these challenges by establishing a plan to scale the program, bolster security reviews of cloud solutions and accelerate Federal adoption. Drew Myklegard, the Deputy Federal CIO, said during CyberTalks, a gathering of the most influential leaders in cybersecurity and digital privacy, \u201cThere\u2019s a lot of room in the FedRAMP process with friction and [manual] steps that are causing too long of times from when people identify a product that they need until they can employ it.\u201d<\/span> [2]<\/span>\u00a0<\/span><\/p>\n

The New FedRAMP Guidance<\/span><\/b>\u00a0<\/span><\/h2>\n

\"CarahsoftAutomation and Continuous Monitoring (ConMon) stand at the forefront of FedRAMP modernization as the memo underscores the significance of automation and the use of machine-readable formats for authorization and ConMon artifacts. The new guidance will create a system for automating security assessments and reviews, as well as expand on the initiative to obtain FedRAMP security artifacts solely through automated, machine-readable processes. The General Services Administration (GSA) also plans to update ConMon processes within 180 days and exclusively accepting machine-readable artifacts within 18 months.\u00a0<\/span>\u00a0<\/span><\/p>\n

By automating security assessments and reviews, FedRAMP is looking to streamline the authorization process, reduce the time and cost of compliance, and improve the accuracy and consistency of security assessments. An added benefit is that automation will help identify and mitigate security risks more quickly and effectively, improving the overall security posture of cloud-based services used by the Federal Government.\u00a0<\/span>\u00a0<\/span><\/p>\n

The key changes proposed in the new guidance will:<\/span>\u00a0<\/span><\/p>\n