February 8, 2023

Volume XIII, Number 39

Advertisement

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Five- Further Adoption of FedRAMP & StateRAMP

To conclude our series of cybersecurity areas to focus on in 2023 for those who do business with the Federal government, we look at the FedRAMP and StateRAMP developments from 2022. For the rest of this series, see our prior articles (Part OnePart TwoPart Three, and Part Four).

FedRAMP Authorization –The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act was signed into law as part of the FY23 National Defense Authorization Act. The Act officially codified FedRAMP as the definitive standardized security assessment and authorization program for federal procurement of cloud products and services. To encourage further agency adoption of FedRAMP, the Act includes a “Presumption of Adequacy” which states that a FedRAMP authorization package is presumed adequate for any agency authorization. This allows an agency to use a FedRAMP authorized offering without having to conduct any additional review. FedRAMP is also directed to establish a means for the automation of security assessments and reviews. These measures should further reduce barriers for agency adoption of cloud services and products.

The Act subjects the FedRAMP program to additional rulemaking requirements – any proposed FedRAMP guidance or directives that may have an impact on cloud service providers must undergo a public comment period. Additionally, the Act also calls for the creation of two advisory boards that will provide additional guidance to the program: the FedRAMP Board, consisting of federal stakeholders, and the Federal Secure Cloud Advisory Committee, comprised of federal and industry stakeholders.

FedRAMP, Revision 5 Baselines – In early 2022, FedRAMP was in the process of updating its standards to better align with NIST SP 800-53, Revision 5 standards. FedRAMP planned on releasing a draft of the new FedRAMP Revision 5 baseline standards for public comment, but has been notably silent since spring 2022. In Fall 2022, FedRAMP sought additional public comment on updating the Authorization Boundary Guidance. You can read our article about the rulemaking for the Authorization Boundary Guidance here.

StateRAMP – Modeled after the FedRAMP program, the State Risk and Authorization Management Program (StateRAMP) provides a common standard and model for states and local governments to verify that cloud products and services have appropriate security controls in place. In 2022, Arkansas, Colorado, Maine, Nebraska, North Dakota, Vermont, and West Virginia joined StateRAMP as participating government members, bringing the number of StateRAMP participating organizations to 23. The National Association of State Procurement Officials (NASPO) announced the addition of StateRAMP as a strategic partner to “help its members achieve success as public procurement leaders in their states” through the development of educational content and resources for state governments.

Putting it Into Practice – What to expect in 2023: We expect that FedRAMP and StateRAMP programs will continue to gain traction as adoption of these programs becomes more widespread. We continue to eagerly await the release of the FedRAMP, Revision 5 baselines and any updates to the Authorization Boundary Guidance.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 25
Advertisement
Advertisement
Advertisement

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Lauren Weiss Associate Washington D.C. Sheppard, Mullin, Richter & Hampton LLP
Associate

Lauren Weiss is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice Lauren’s practice focuses on government contracts litigation, investigations, and counseling matters including the following areas:  Cybersecurity counseling, Internal Investigations, Regulatory compliance,  Bid protests before the U.S. Government Accountability Office, Civil False Claims Act litigation defense, and Transactional due diligence.

Prior...

202-747-2678
Advertisement
Advertisement
Advertisement