business man in a futuristic data center

MITRE's Response to the OMB RFI on FedRAMP

MITRE’s data-driven responses to an Office of Management and Budget inquiry requesting input on updated FedRAMP policy.

Download Resources

What’s the issue?  The Office of Management and Budget (OMB) proposes to issue updated guidance to federal agencies on the Federal Risk Authorization Management Program (FedRAMP), first issued in 2011 and established in statute through the FedRAMP Authorization Act in 2022. OMB issued a draft update to the FedRAMP memo and sought feedback on how to enhance it prior to finalization.

What did we do? Our Center for Data-Driven Policy led a cross-MITRE analysis of OMB's posed questions, seeking to uncover data and evidence from our work in the public interest that would help them understand opportunities and develop plans that are evidence-based, actionable, and effective.

What did we find? MITRE thoroughly reviewed OMB’s draft FedRAMP memorandum and believes there are ample opportunities to strengthen this program by improving both the government’s governance and oversight of FedRAMP and industry’s accountability. In addition to providing several comments, MITRE provided two key recommendations:

Government Governance and Oversight. The FedRAMP program needs the support and backing of key government cybersecurity leaders. The director of the Office of the National Cybersecurity Director (ONCD) and the federal chief information officer (CIO) should have a more formal role on the FedRAMP Board as opposed to the optional role currently stated in the draft memorandum. These leaders can also address government-wide topics more successfully, like coordination and reciprocity across other cloud certification processes.

Industry Accountability. The FedRAMP program needs to consider incentives for industry to discover, prevent, and disclose threats and vulnerabilities to their systems and services. These incentives could include a streamlined reauthorization process when updates are made to already-certified offerings. Incentives should also be considered to encourage cloud providers to implement the zero trust principles already required within the federal government.