To print this article, simply register or log in to Mondaq.com.
To round out a series of cybersecurity areas to focus on in 2023 for those who do business with the federal government, we look at developments in FedRAMP and StateRAMP from 2022. See previous articles (Part 1, Part 2) for the rest of this series. , Part 3, and Part 4).
FedRAMP Authorized – The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act was signed into law as part of the FY23 Defense Authorization Act. The act formally codified FedRAMP as the definitive standardized security assessment and approval program for federal procurement of cloud products and services. To facilitate further adoption of FedRAMP by government agencies, the law includes a “presumption of adequacy” indicating that a FedRAMP-approved package is presumed to be suitable for government agency approval. This allows government agencies to use FedRAMP-authorized products without additional review. FedRAMP also aims to establish a means of automating security assessments and reviews. These measures should further reduce barriers to government adoption of cloud services and products.
This law imposes additional rulemaking requirements on the FedRAMP program. Any proposed FedRAMP guidance or directive that may affect cloud service providers must go through a public comment period. Guidance to the Program: A FedRAMP Board of federal stakeholders and a Federal Secure Cloud Advisory Council of federal and industry stakeholders.
FedRAMP, Revision 5 Baseline – In early 2022, FedRAMP was in the process of updating its standards to better align with NIST SP 800-53, Revision 5 standards. FedRAMP had planned to release a draft of the new FedRAMP Revision 5 baseline standards for public comment, but has been particularly silent since Spring 2022. In Fall 2022, FedRAMP requested additional public comment on updates to the Authorized Boundary Guidance. An article on authoring rules for authorization boundary guidance can be found here.
StateRAMP- Modeled after the FedRAMP program, the State Risk and Authorization Management Program (StateRAMP) provides common standards and models for state and local governments to ensure cloud products and services have appropriate security controls in place. Offers. In 2022, Arkansas, Colorado, Maine, Nebraska, North Dakota, Vermont, and West Virginia will join StateRAMP as participating government members, bringing the number of StateRAMP participating organizations to 23. The National Association of State Procurement Officials (NASPO) recognizes that StateRAMP, as a strategic partner, “helps its members succeed as state public procurement leaders” through the development of educational content and resources for state governments.
Putting it into practice – what to expect in 2023: FedRAMP and StateRAMP programs are expected to continue to gain momentum as adoption of these programs becomes more widespread. We continue to look forward to the release of FedRAMP, Revision 5 baselines, and updates to the Authorized Boundary Guidance.
The content of this article is intended to provide a general guide on the subject. You should seek professional advice for your particular situation.
Popular Articles: US Technology