Last week the FedRAMP program achieved a significant milestone: Legislation authorizing the program into law was incorporated into the FY23 National Defense Authorization Act (NDAA). The bill is designed to promote reciprocal treatment of FedRAMP Authorizations to Operate (ATOs) for cloud service providers across agencies--enhancing the “certify once, use many times” principle that has been a foundation of the program since its inception. As a long-time proponent of the FedRAMP process, Zscaler is thrilled to see this outcome after almost six years of effort led by Rep. Gerry Connolly.
Zscaler was an early adopter of the FedRAMP program and a strong believer in its value to improving overall federal cybersecurity. Our leadership in FedRAMP authorizations for securing government IT led to an invitation to testify to the U.S. Senate Homeland Security and Governmental Affairs Committee last November in support of the bill. In my testimony, I emphasized the importance of FedRAMP and how it enabled federal agencies to more quickly shift to cloud services and adapt to work from home during the COVID pandemic.
After achieving our first FedRAMP accreditation in 2018, Zscaler’s commitment to FedRAMP has only grown. We recently became the only cloud security service provider to have our entire Zero Trust Exchange platform FedRAMP Authorized at both the moderate and high levels. This helps give government agencies greater confidence to access modern, cloud solutions for zero trust architecture and other services.
Key Aspects of the FedRAMP Bill
The FedRAMP Authorization Act, as included in this year’s NDAA, will usher in a new era for the FedRAMP program. As FedRAMP has grown and expanded over the last 10 years, industry partners have advocated for a formal mechanism to provide feedback to the program management office (PMO) on what’s working and what’s not. The bill establishes a Federal Secure Cloud Advisory Committee, to be made up of government and industry representatives, to help the help guide the PMO in areas where change may be needed. Further, the bill aims to modernize the Joint Authorization Board, not just by renaming it as the FedRAMP Board, but also providing it with new flexibilities that will allow it to better serve the needs of CSPs that support federal mission partners. And lastly, the “presumption of adequacy” will go a long way to helping the program finally realize the full spirit of “certify once, use many times.”
This has been a labor of love for those of us who were early champions of the FedRAMP concept. I am especially excited to see GSA stand up the Federal Secure Cloud Advisory Committee to establish a formal mechanism for the PMO and FedRAMP Board to solicit and gather feedback from the broader FedRAMP community to help address challenges associated with the program and drive improvements over time. This, along with the ‘presumption of adequacy’ requirement, which is intended to help make the vision of ‘do once, use many’ a reality, are key to the long-term effectiveness of the program
We want to thank the members of Congress, and in particular Rep. Connolly, Rep. James Comer, Sen. Gary Peters and Sen. Rob Portman, and their staff for this successful effort to get the FedRAMP Authorization Act bill enacted in the 117th Congress. This legislative initiative took years of committed work, and we appreciate their dedication to improving cybersecurity and expanding access to commercial cloud solutions across the federal government.