Clare Martorana
Federal Chief Information Officer
Office of Management Budget

 

December 22, 2023

 

Re: Public comment on a proposed memorandum titled, Modernizing the Federal Risk Authorization Management Program (FedRAMP).; Docket ID: FR Doc. 2023–23839; RIN 88 FR 73878
Submitted via regulations.gov

 

IBM appreciates the Office of Management and Budget and the Office of the Federal Chief Information Officer engaging stakeholders across the cloud community on this draft memorandum, especially given the significant impacts it could have on cloud service providers to the U.S. government.

 

The use of cloud services has increased dramatically over the past 13 years since the inception of FedRAMP, and changes are needed if FedRAMP is to keep pace with the technological innovations sweeping the industry. Unless FedRAMP adapts, the government’s access to new, cutting-edge cloud service offerings will be at risk. The use of cloud services enables the maximization of specialized skills as well as the ability to continuously modernize through adoption of new features, applications, and security.

 

FedRAMP can and should continue to strive to help federal agencies consolidate duplicative processes and reduce the burden on industry and government by encouraging as much reuse between agencies as possible. Successful outcomes to these changes would be quantitatively more, qualitatively easier, and less complex FedRAMP authorizations for agencies as well as for small and large cloud service providers.

 

Thus, IBM supports many of the changes to FedRAMP in this draft memo including:
• The proposed FedRAMP program structure that invites more agencies to participate more easily in the process through the adoption of single and joint agency authorizations;
• Preliminary authorizations that are essential for supporting innovation and reducing the delays of having to obtain full sponsorships. This creates a clear path for agencies to pilot cloud services with a natural progression for a sponsor and larger investment; and
• Continuous monitoring support to all agency customers of authorized FedRAMP products and services.

 

Overall, we remain optimistic about this effort to modernize the program but know that the crux of change will come in the execution of the memo and its aims. As such, IBM encourages OMB and GSA to remain engaged with the cloud services community and flexible to tweak aspects of the program as necessary. As OMB considers revisions to the draft memo, we offer the following suggestions:

 

Consistent Terminology
The memo appears to treat Cloud Service Providers (CSPs), Cloud Software Vendors, and Cloud Providers interchangeably, lacking differentiation in treatment across these distinct entities. Some sections exclusively address CSPs, raising questions about CSPs versus Cloud Software vendors. IBM suggests ensuring a consistent use of terms.

 

Harmonization with DoD
In line with the Office of the National Cyber Director’s request for information on harmonization, we recommend including language in the memo that enables harmonization and synergy between FedRAMP and DoD impact levels (IL) to lower barriers to entry and support rapid adoption of new technologies. Specifically, IL4 and FedRAMP High could be designated as equivalent for reciprocity purposes.

 

Critical Acceleration
In order to ensure resources are being allocated effectively, the FedRAMP PMO should clearly describe a process for where and how waivers, preliminary authorizations, and full authorizations should be used and how each should flow into a succeeding one. This process should include a transitionary plan, developed along with CSPs for already certified offers, in-progress JAB P-ATOs, and in-progress JAB SCR’s.

 

Scope Considerations

The memo emphasizes the expedited inclusion of Software-as-a-Service (SaaS) offerings to enhance the usability of commercial clouds. However, it’s critical to consider the same inclusion and use of Platform-as-a-Service (PaaS) and acknowledge the exponential rise in complexity in managing these diverse cloud services.

 

Promote Bidirectional Information Sharing
Expanding on the memo’s idea of the FedRAMP PMO serving as a central point of contact for the government to gather information about cloud products and services, IBM also suggests that the FedRAMP PMO be leveraged the other way to act as a single point of contact for industry to receive information about changes to government use of cloud services. OMB, through the CIO Council and other groups, should look to support GSA and the FedRAMP PMO with information that should be communicated to industry. This should also promote harmonization in the use of cloud services across the federal government.

 

Leverage Use Case and Capabilities to Define External Security Frameworks Acceptance
Specify the process for evaluation of external security frameworks (ISO, SOC2, etc.) that considers use case and capability for acceptance such as DNS, DDoS, Log Analytics, Vulnerability Scanners, SIEM, IAM, and so forth. We recommend defining technology use cases and aligning those use cases to the external frameworks that will be accepted to eliminate case-by-case analysis of each.

 

Clarify Implementation Timelines and Other Details
More detail on the vision of new FedRAMP would be helpful for industry to be prepared and to take swift action, particularly about:
• Commercial cloud: How will it be accepted and what are the expected changes to physical architecture?
• How does logical separation work for reporting requirements? How does DoD consume these services?

 

In conclusion, IBM supports OMB’s effort to modernize FedRAMP to more rapidly enable USG agencies to adopt cutting edge cloud solutions. We offered a number of suggestions and requests for clarification to ensure changes are executed successfully. We welcome the continued engagement by OMB, GSA, and FedRAMP PMO as this memo is finalized/implemented and urge OMB and GSA to continue to engage industry to ensure changes to FedRAMP strengthen government’s access to new, cutting-edge cloud service offerings.

 

 

 – Mark Johnson Vice President, Federal Technology

– Cloud Policy Executive Cybersecurity Policy Executive

 

 

 

Share this post: