Tevora Unpacks FedRAMP Authorization Act

Irvine, CA – January 6, 2023—On December 23, 2022, President Biden signed the National Defense Authorization Act (NDAA) into law, making cloud security for government agencies a top priority for 2023 and the years come. Included in the Defense Departments’ newly acquired $816.7 billion budget, section 5921 of the NDAA brings solidification to cloud security expectations as the government continues the pursuit for cloud-enabled organizations.

In more ways than one, the signing of NDAA and legislation contained within section 5921 sends a clear message to the information technology industry that FedRAMP and cloud security are at the forefront of our nation’s cybersecurity.

Cloud Service Providers (CSPs) should know that government agencies are being mandated to prioritize cloud-enabled solutions, and for cloud solutions to become acquired by government agencies, cloud solutions must be FedRAMP authorized.

In unpacking the NDAA, Tevora has identified a few key features that CSPs, Third Party Assessment Organizations (3PAOs), and the like should know:

• Establishment of a FedRAMP board – With the approval to establish a new FedRAMP board, the government’s cloud security community will see a rapidly maturing program that will bring further input and recommendations regarding requirements, guidelines for, and the prioritization of security assessments for cloud computing products and services. As technology advancements continue to evolve, we can plan for FedRAMP assessment services to maintain pace.
• Roles and responsibilities for agencies – In abiding by FedRAMP requirements, the head of each agency shall promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements. Additionally, to the extent practicable, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization, to use the existing assessments of security controls and materials within any FedRAMP authorization package for that cloud computing product or service.

The message is loud and clear: cloud-computing products are to be prioritized for government agencies. Additionally to provide some level of simplification to the authorization process, CSPs can now obtain FedRAMP authorization once and then use existing Authorization To Operate (ATO) certification with other agencies.

• Federal Secure Cloud Advisory Committee – The establishment of Federal Secure Cloud Advisory Committee (“Committee”) will ensure effective and ongoing coordination of agency adoption, use, authorization, acquisition, and security of cloud computing products and services in order to enable administrative priorities. With the newly formed Committee we can expect that agencies will see prioritized efforts for work conducted with FedRAMP authorized, cloud-enabled solutions. 

“Our nation’s continued commitment to the FedRAMP program provides a clear direction for cloud providers to model their security programs after, and further levels up the security of Federal Agencies,” said Jeremiah Sahlberg, Managing Director at Tevora. “We are seeing increasing demand for FedRAMP and StateRAMP services as a sales path for cloud providers to deliver services to Federal and State agencies.” With further formalization to the FedRAMP Authorization Act and legislative mandates for cloud-enabled organizations, FedRAMP is here to stay.

About Tevora

Tevora is a specialized management consultancy focused on cybersecurity. Tevora’s objective is to help keep your organization compliant, and your brand safe. As a certified FedRAMP 3PAO, our federal services division provides advisory, preparatory, and formal assessment services for clients seeking FedRAMP authorization. 

If you have any questions about FedRAMP, or would like to help bring your organization into compliance, just give us a call at (833) 292-1609 or email us at sales@tevora.com.