Skip to main content

An official website of the United States government

Here’s how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

GSA Logo U.S. General Services Administration
    • Explore buy through us
    • Category management
    • Government property for sale or lease
      Toggle submenu
      • Personal property (tangible goods)
      • Real property (real estate and buildings) for public use
      • Real property sales
      • Vehicle sales
    • Products and services
      Toggle submenu
      • Human capital
      • Industrial products and services
      • Office management
      • Professional services
      • Security and protection
      • Transportation and logistics services
    • Purchasing programs
      Toggle submenu
      • Assisted acquisition
      • Commercial platforms
      • Federal strategic sourcing initiative
      • Fleet management
      • HCaTS and HCaTS SB
      • OASIS and OASIS SB
      • Requisition programs
      • State and local programs
      • Emergency acquisition basic ordering agreements
    • Shared services
      Toggle submenu
      • Payroll services
      • Support services for CABs

    Featured Topics

    • Multiple Award Schedule Governmentwide contracts for products and services at volume discount pricing.
    • Auctions Federal assets available via auction to the general public.
    • Explore sell to government
    • Step 1: Learn about government contracting
      Toggle submenu
      • Ways you can sell to government
      • How to access contract opportunities
      • Conduct market research
    • Step 2: Compete for a contract
      Toggle submenu
      • Register your business
      • Certify as a small business
      • Become a schedule holder
      • Market your business
      • Research active solicitations
      • Respond to a solicitation
      • What to expect during the award process
    • Step 3: Manage your contract
      Toggle submenu
      • Comply with contractual requirements
      • Handle contract modifications
      • Monitor past performance evaluations

    Featured Topics

    • Contract opportunities on SAM.gov Search current federal contract opportunities and procurement notices.
    • Forecast of contracting opportunities Anticipated contracts offered by GSA.
    • Vendor support center Research the federal market, report sales, and upload contract information.
    • Explore real estate
    • Design and construction
      Toggle submenu
      • 3D-4D building information modeling
      • Computer-aided design standards
      • Engineering
      • Project management information system
      • Prospectus thresholds
    • Facilities management
      Toggle submenu
      • Security
      • Tenant services
      • Water quality management
    • Our properties
      Toggle submenu
      • Owned and leased properties
      • Regional buildings
      • Renting property
    • Real estate services
      Toggle submenu
      • Leasing resources
      • Real property disposal
      • Reimbursable services (RWA)
      • For businesses seeking opportunities
      • For workers in federal buildings
      • Voice of the customer
    • Workplace optimization
      Toggle submenu
      • Commercial coworking
      • Federal coworking
      • Space Match
    • Explore historic buildings

    Featured Topics - Real Estate

    • Historic preservation tools and resources Procedures for maintaining and repairing historic buildings.
    • Real property disposal Dispose or acquire excess federal real property including buildings or land.
    • Explore policy and regulations
    • Acquisition management policy
    • Aviation management policy
    • Information technology policy
    • Real property management policy
    • Relocation management policy
    • Travel management policy
    • Vehicle management policy
    • Regulations
      Toggle submenu
      • Federal acquisition regulations
      • Federal management regulations
      • Federal travel regulations

    Featured Topics

    • Forms Search for a government form.
    • Per diem FAQs Frequently asked questions about per diem rates and related topics.
    • Explore small business
    • Small business goals
    • Register your business
      Toggle submenu
      • Explore business models
      • Research the federal market
      • Subcontracting and other partnerships
    • Forecast of contracting opportunities
    • Small business resources
      Toggle submenu
      • Small business contacts
      • Small business events
      • Videos

    Featured Topics

    • Forecast tool Information on planned federal contracting opportunities.
    • Socio economic categories Check your eligibility for small-business set-asides.
    • Training resources Suggested training for doing business with us.
    • Explore travel
    • Plan a trip
      Toggle submenu
      • Per diem rates
      • Transportation (airfare rates, POV rates, etc.)
      • Lodging
      • Travel charge card
    • Travel and lodging services
      Toggle submenu
      • E-gov travel service (ETS)
      • Rideshare
      • Travel category schedule
    • Federal travel regulation

    Featured Topics

    • Per diem rates look-up Allowances for lodging, meal and incidental costs while on official government travel.
    • Mileage reimbursement rates Reimbursement rates for the use of your own vehicle while on official government travel.
    • Explore technology
    • Build websites and digital services
    • Purchasing programs
      Toggle submenu
      • Cloud computing services
      • Cybersecurity products and services
      • Governmentwide acquisition contracts
      • MAS information technology
      • USAccess
    • Government initiatives
      Toggle submenu
      • Artificial Intelligence
      • Cybersecurity
      • Emerging citizen technology
      • FedRAMP
      • Federal identity, credentials, and access management
      • Robotic process automation community
      • Technology modernization fund
    • Training

    Featured Topics

    • Challenge.gov Government sponsored challenges and prize competitions.
    • Data.gov Access U.S. government data.
    • Multiple award schedule IT category Information technology products, services and solutions.
    • Explore about us
    • Background and history
      Toggle submenu
      • Overview
      • Mission and strategic goals
      • Role in presidential transitions
    • Careers
      Toggle submenu
      • Get an internship
      • Launch your career
      • Elevate your professional career
      • Discover special hiring paths
      • Resources and related links
    • Events and training
      Toggle submenu
      • Events, training, and request a speaker
      • Our training programs
    • Newsroom
      Toggle submenu
      • Agency blog
      • Congressional testimony
      • GSA does that podcast
      • News releases
      • Speeches
      • Videos
    • Organization
      Toggle submenu
      • Leadership directory
      • Federal Acquisition Service
      • Public Buildings Service
      • Staff offices
    • Regions
      Toggle submenu
      • Region 1 | New England
      • Region 2 | Northeast and Caribbean
      • Region 3 | Mid-Atlantic
      • Region 4 | Southeast Sunbelt
      • Region 5 | Great Lakes
      • Region 6 | Heartland
      • Region 7 | Greater Southwest
      • Region 8 | Rocky Mountain
      • Region 9 | Pacific Rim
      • Region 10 | Northwest/Arctic
      • Region 11 | National Capital Region
    • Contact us

    Featured Topics

    • Blog Read the latest GSA news, updates and analysis.
    • Careers Learn what we have to offer.
  • Per diem lookup
Buy through us
Explore buy through us
Category management
Government property for sale or lease
Personal property (tangible goods)
Real property (real estate and buildings) for public use
Real property sales
Vehicle sales
Products and services
Human capital
Industrial products and services
Office management
Professional services
Security and protection
Transportation and logistics services
Purchasing programs
Assisted acquisition
Commercial platforms
Federal strategic sourcing initiative
Fleet management
HCaTS and HCaTS SB
OASIS and OASIS SB
Requisition programs
State and local programs
Emergency acquisition basic ordering agreements
Shared services
Payroll services
Support services for CABs
Sell to government
Explore sell to government
Step 1: Learn about government contracting
Ways you can sell to government
How to access contract opportunities
Conduct market research
Step 2: Compete for a contract
Register your business
Certify as a small business
Become a schedule holder
Market your business
Research active solicitations
Respond to a solicitation
What to expect during the award process
Step 3: Manage your contract
Comply with contractual requirements
Handle contract modifications
Monitor past performance evaluations
Real estate
Explore real estate
Design and construction
3D-4D building information modeling
Computer-aided design standards
Engineering
Project management information system
Prospectus thresholds
Facilities management
Security
Tenant services
Water quality management
Our properties
Owned and leased properties
Regional buildings
Renting property
Real estate services
Leasing resources
Real property disposal
Reimbursable services (RWA)
For businesses seeking opportunities
For workers in federal buildings
Voice of the customer
Workplace optimization
Commercial coworking
Federal coworking
Space Match
Explore historic buildings
Policy and regulations
Explore policy and regulations
Acquisition management policy
Aviation management policy
Information technology policy
Real property management policy
Relocation management policy
Travel management policy
Vehicle management policy
Regulations
Federal acquisition regulations
Federal management regulations
Federal travel regulations
Small business
Explore small business
Small business goals
Register your business
Explore business models
Research the federal market
Subcontracting and other partnerships
Forecast of contracting opportunities
Small business resources
Small business contacts
Small business events
Videos
Travel
Explore travel
Plan a trip
Per diem rates
Transportation (airfare rates, POV rates, etc.)
Lodging
Travel charge card
Travel and lodging services
E-gov travel service (ETS)
Rideshare
Travel category schedule
Federal travel regulation
Technology
Explore technology
Build websites and digital services
Purchasing programs
Cloud computing services
Cybersecurity products and services
Governmentwide acquisition contracts
MAS information technology
USAccess
Government initiatives
Artificial Intelligence
Cybersecurity
Emerging citizen technology
FedRAMP
Federal identity, credentials, and access management
Robotic process automation community
Technology modernization fund
Training
About us
Explore about us
Background and history
Overview
Mission and strategic goals
Role in presidential transitions
Careers
Get an internship
Launch your career
Elevate your professional career
Discover special hiring paths
Resources and related links
Events and training
Events, training, and request a speaker
Our training programs
Newsroom
Agency blog
Congressional testimony
GSA does that podcast
News releases
Speeches
Videos
Organization
Leadership directory
Federal Acquisition Service
Public Buildings Service
Staff offices
Regions
Region 1 | New England
Region 2 | Northeast and Caribbean
Region 3 | Mid-Atlantic
Region 4 | Southeast Sunbelt
Region 5 | Great Lakes
Region 6 | Heartland
Region 7 | Greater Southwest
Region 8 | Rocky Mountain
Region 9 | Pacific Rim
Region 10 | Northwest/Arctic
Region 11 | National Capital Region
Contact us
  1. Home
  2. Technology
  3. Government IT initiatives
  4. Federal Secure Cloud Advisory Committee
  5. Federal Secure Cloud Advisory Committee meetings
  6. FSCAC FedRAMP discussion paper for May 25, 2023 meeting

FSCAC FedRAMP discussion paper for May 25, 2023 meeting

Purpose  

To inform its exercise of oversight and statutory responsibilities, OMB seeks input regarding specific challenges and opportunities related to the Federal Risk and Authorization Management Program. In particular, OMB is looking for meaningful feedback from Federal Secure Cloud Advisory Committee members on improving FedRAMP’s effectiveness at ensuring agile and secure use of the commercial cloud by the Federal Government. 

Background

FedRAMP was established in 2011 by the Office of Management and Budget to safely accelerate the adoption of cloud services by federal agencies, and to help those agencies avoid duplicating effort by offering a consistent and reusable authorization process. Since its establishment, FedRAMP has operated by partnering with agencies and third-party assessors to identify appropriate cloud services, evaluate those services against a common baseline of security controls, and create authorization packages that enable agency authorizing officials to more easily make informed risk-based decisions concerning the use of those cloud services.

At the beginning of the FedRAMP program, the federal government had a significant focus on securely facilitating use of large-scale commercial Infrastructure-as-a-Service providers, which offer virtualized computing resources that are natively designed to be more scalable and automatable than traditional data center environments. In the years since, the commercial cloud marketplace has grown, especially in the area of Software-as-a-Service).  The COVID-19 pandemic further accelerated the growth of the SaaS market, as shifts in the workplace landscape led more organizations relying on remote collaboration tools for their workforce and expanding the online services they provide to their customers.

Recognizing the value that FedRAMP has provided to Federal agencies and to industry, but with the clear need to update the program in response to a changing industry and offerings landscape, Congress passed the FedRAMP Authorization Act in December 2022 as part of the annual Defense Authorization Act. As part of that legislation, OMB is tasked with issuing “guidance describing additional responsibilities of FedRAMP and the FedRAMP Board to accelerate the adoption of secure cloud computing products and services by the Federal Government.” 

Discussion

The purpose of the FedRAMP program is to increase the Federal adoption of cloud services, while focusing cloud providers and agencies on the highest value work and eliminating redundant authorization and continuous monitoring efforts.

To achieve the above, OMB wants to grow the FedRAMP marketplace, simplify the process for industry and agencies alike, promote effective risk-management, and leverage opportunities to incorporate automation into the FedRAMP process.  Automating key components of the FedRAMP enables acceleration of the timelines to achieve authorization, promote re-use, as well as opens doors to future continuous monitoring capabilities to enable effective and timely risk-management.   

Ultimately, OMB believes FedRAMP should be able to grow the FedRAMP marketplace to include thousands of different cloud-based services over time, accelerating key agency operations while allowing agencies to directly manage smaller IT footprints and better focus resources on their core missions.

Specific areas where OMB is seeking input to expand opportunities and address challenges surrounding the FedRAMP program

OMB requests that FSCAC members review this paper ahead of the meeting and welcomes verbal responses members have to any of the questions during the meeting.

Governance and Authorizations. FedRAMP has been governed by a Joint Authorization Board (JAB) consisting of representatives from DHS, DoD, and GSA.  Each of these agencies has established an internal program office, led by technical representatives, to perform key FedRAMP functions.  These functions include reviewing authorization packages, conducting continuous monitoring, and reviewing FedRAMP procedure documents, among many other activities.  The JAB approves each provisional authorization issued to an individual cloud service provider, and each JAB member has a team that supports ongoing review and monitoring processes on a per-CSP basis.

The FedRAMP Authorization Act establishes a FedRAMP Board, replacing the JAB, that includes representatives from DHS, DOD, and GSA and up to four additional members.  In line with the Act, OMB is looking at expanding the Board to enhance agency representation and better integrate the program with the Federal community.

The FedRAMP Program supports multiple forms of authorizations to promote reusability while accommodating different Federal Government use cases.  An important priority (and challenge) of the FedRAMP program is to support flexibility while promoting reuse and maintaining a general trust in any authorization associated with FedRAMP.

Therefore, OMB is considering adjustments to the FedRAMP authorization model, with the goal of having all FedRAMP authorizations held to a well-understood set of security principles, and creating more efficiency in authorizations issued jointly by multiple agencies.  More generally, the FedRAMP program is expected to consider feedback from industry and agencies on where improvements can be made, including new authorization structures.  To assist the program in those efforts, OMB is seeking input responsive to the following questions:

  • What are the most important areas for the FedRAMP Board to focus on when setting a strategic direction for the program and making the program operations more efficient?
  • What are potential ways to scale the FedRAMP program to increase reuse and the overall number of CSP products?
  • To both CSPs and agencies: what areas of the process require the greatest investment of time and/or money?
  • In addition to the current model of agency authorizations and JAB provisional authorizations, what other types of FedRAMP authorizations could be helpful in meeting program goals?  
  • Are there major areas of cybersecurity, including the risks posed by disruptive technologies, that are not yet incorporated into the FedRAMP process but should be?  
  • What would be the impact of having the FedRAMP Board review and approve requirements governing how authorizations are performed, rather than directly performing and approving each joint authorization?
  • What practices or policy changes might encourage or ease the process of small businesses seeking to receive FedRAMP authorizations for their products or services? 

Scope and Applicability. FedRAMP is broadly intended – in statute and in its original OMB mandate – to standardize Federal agencies’ approach to using commercial cloud.  However, cloud products (especially SaaS) have become more diverse over time, so it is not always clear within the Federal environment how to consistently and appropriately apply FedRAMP requirements.  This uncertainty can result in differing formal or de facto policies across agencies, weakening the governmentwide consistency that FedRAMP is intended to promote.  This dynamic can also cause agencies not to seek FedRAMP authorization for the use of a service that may merit one, or to require FedRAMP authorizations for services that either have negligible security impact or do not store Federal information.

OMB is considering how to determine and define which kinds of cloud-based services should be within the scope of FedRAMP. 

  • What categories of externally hosted cloud services should be included within or excluded from the scope of FedRAMP? 
  • Are there specific usage scenarios for cloud-based services that the FedRAMP program should consider in or out of scope? 

Reciprocity and flexibility in compliance regimes. Today, FedRAMP relies on applying a baseline derived from the set of security controls described in NIST Special Publication 800-53, as well as generally applying other security requirements for Federal agencies, such as policies and directives issued by OMB and DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

OMB is seeking feedback on the appropriateness and efficacy of accepting security artifacts and assessments based on other widely used security frameworks and compliance regimes. 
What industry or alternate security frameworks, if any, should the FedRAMP program consider leveraging to help accelerate and reduce the burden of obtaining a FedRAMP authorization?  Should this differ depending on the type of FedRAMP authorization? How should the FedRAMP program consider potential gaps in mapping controls and security requirements between frameworks?

Automation. The use of automation throughout the FedRAMP lifecycle is essential to ensuring effective operations for both Federal government and industry partners. OMB is working with GSA counterparts to consider efforts to automate and streamline all parts of the FedRAMP authorization process including the development of security assessment plans, security assessment reports, and plans of action and milestones.

OMB and GSA are also collaborating to digitize and streamline additional documentation required of vendors, including small businesses. Determining the technical means to automate system security documentation, in addition to other FedRAMP processes, is a key component of the FedRAMP modernization efforts. Additionally, continued research of emerging technologies and state-of-the-industry practices will be necessary to future automation efforts in supporting program growth. Questions for discussion include:

  • What areas of the current process can benefit most from automation?
  • What parts of the FedRAMP process currently require redundant or manual work?
  • What industry practices can be leveraged to accelerate the automation of security requirements?  
  • What automation practices can best support the participation of small businesses in the FedRAMP Program?
  • What parts of the FedRAMP process should not be automated and why?
  • What needs to happen to enable baseline security controls to be consistently validated in an automated manner and the results captured in machine-readable data? Are there controls that cannot currently be validated in this way? 

Continuous monitoring. Agencies are required to conduct continuous monitoring activities on IT systems they use, including cloud services.  Currently, cloud service products and services that are authorized by agencies and also have FedRAMP authorizations receive little continuous monitoring from the FedRAMP program office, with the JAB providing continuous monitoring support for offerings approved centrally through the JAB. With the focus on new and flexible authorization models for cloud products and services, OMB is seeking input on enabling FedRAMP to take a more direct posture in providing continuous monitoring of FedRAMP authorized offerings that will enable agency authorizing officials to make risk-based decisions. 

  • What aspects of the continuous monitoring process are the most burdensome to additional adoption of cloud products and services by Federal agencies?  
  • Could standardization, centralization, and automation of some of those functions reduce costs, improve trust, or expand reuse of offerings?  
  • Are there any drawbacks or specific obstacles to the FedRAMP Program taking a larger and more direct role in continuous monitoring of cloud solutions? 
  • Are there any advantages to the FedRAMP Program taking a more direct role in continuous monitoring of cloud solutions? 

Permitting third-party-led authorizations. OMB welcomes feedback on whether and how the Federal government could permit private sector third-party organizations to perform core authorization and assessment functions that today are performed by agency sponsors, the FedRAMP program, or the JAB. 

For clarity, this proposal is not necessarily based on the current FedRAMP Third Party Assessment Authorizations (3PAO) process and would not necessarily involve the companies that currently function as 3PAOs.  This prompt is intended to holistically consider what role the private sector could play in the FedRAMP authorization process to effectively assess the security of cloud services and accelerate core processes. 

  • At a high level, how could/should the federal government incorporate third party private sector actors into the authorization process?
  • If the federal government were to allow companies to perform more of the authorization work associated with a FedRAMP authorization, how should GSA manage its accreditation and oversight of the process?
Print Page Print this page Email Page
Last updated: Aug 21, 2024
Top
    • Overview
    • Federal Secure Cloud Advisory Committee charter
    • Federal Secure Cloud Advisory Committee membership balance plan
    • Federal Secure Cloud Advisory Committee bylaws
    • Federal Secure Cloud Advisory Committee meetings
      • FSCAC Oct. 3, 2024 public meeting agenda and minutes
      • FSCAC Sept. 12, 2024 public meeting agenda and minutes
      • FSCAC July 16, 2024 public meeting agenda and minutes
      • FSCAC May 20, 2024 public meeting agenda and minutes
      • FSCAC March 28, 2024 meeting agenda and minutes
      • FSCAC recommendations memo on 2023 priorities
      • FSCAC Feb. 15, 2024 meeting agenda and minutes
      • FSCAC Jan. 18, 2024 public meeting agenda and minutes
      • FSCAC Nov. 16, 2023 public meeting agenda and minutes
      • FSCAC Nov. 9, 2023 public meeting agenda and minutes
      • FSCAC Outstanding questions to FedRAMP PMO from October/November 2023
      • FSCAC Nov. 2, 2023 public meeting agenda and minutes
      • FSCAC Oct. 26, 2023 public meeting agenda and minutes
      • FSCAC Oct. 19, 2023 public meeting agenda and minutes
      • FSCAC recommendations memo 2023 template
      • FSCAC priorities memo
      • FSCAC July 20, 2023 public meeting agenda and minutes
      • FSCAC May 25, 2023 public meeting agenda and minutes
      • FSCAC FedRAMP discussion paper for May 25, 2023 meeting
      • FSCAC Nov. 14, 2024 public meeting agenda and minutes
      • FSCAC’s 2024 FedRAMP recommendations to the GSA Administrator

Home

  • Resources for …
    • Americans with Disabilities
    • Citizens and Consumers
    • Federal Employees
    • GSA Employees
    • Native American affairs
    • Presidential & Congressional Commissions, Boards or Small Agencies
    • Small Business
  • Governmentwide Initiatives
    • Centers of Excellence
    • Digital experience
    • Emergency response
    • Federal Cybersecurity
    • ID, Credentials, and Access Management
    • Information Quality
    • Open Data
    • Technology Modernization Fund
  • Contact Us
  • Organization
    • Leadership Directory
    • Staff Directory
  • References
    • Annual reports
    • Plain Language
    • Budget and Performance
    • Catalogs
    • Orders & Directives
    • Forms
  • Website Information
    • A-Z Index
    • Report a website issue
    • Sitemap
  • Also of Interest
    • Data.gov
    • Whitehouse.gov
  • Tools
    • eBuy
    • eLibrary
    • Contracting forecast tool
    • GSA Advantage
    • GSA Auctions
GSA logo
  • Facebook Facebook
  • X X
  • LinkedIn LinkedIn
  • YouTube YouTube
  • instagram Instagram
  • Blog Blog
  • email Email

JOIN THE CONVERSATION

GSA.gov

An official website of the U.S. General Services Administration

  • Accessibility statement
  • Website Policies
  • Reports
  • Office of the Inspector General
  • No FEAR Act
  • FOIA Requests
  • Board of Contract Appeals
Looking for U.S. government information and services?
Visit USA.gov

PER DIEM LOOK-UP

1 Choose a location

Error, The Per Diem API is not responding. Please try again later.

No results could be found for the location you've entered.

Get my location

OR

OR

Rates for Alaska, Hawaii, and U.S. territories and possessions are set by the Department of Defense.

Rates for foreign countries are set by the Department of State.

2 Choose a date


OR

Rates are available between 10/1/2022 and 09/30/2025.

The End Date of your trip can not occur before the Start Date.

 
 
Additional terms and conditions

Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.

Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."

Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."

When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.