The House last week voted to approve an updated version of legislation that would codify into law and update the Federal Risk and Authorization Management Program (FedRAMP).
The 11-year-old program is operated by the General Services Administration (GSA) to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2022 approved by the House on Sept. 29 was introduced by Rep. Gerry Connolly, D-Va., chairman of the House Government Operations Subcommittee and a long-time champion of Federal IT issues in the House.
The bill approved last week represents an updated version of a similar FedRAMP codification bill that passed the House in early 2021, and includes further “technical input” from the Biden administration, according to Rep. Connolly’s office. The latest bill would:
- Codify the FedRAMP program into Federal law;
- Reduce duplication of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification;
- Facilitate the use of cloud technologies that have already received an authorization-to-operate by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own;
- Require that GSA work toward automating its processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increased efficiency for both providers and agencies; and
- Establish a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the Federal government.
Notable changes in the current version of the bill include:
- Streamlining the Federal Advisory Committee to create a better feedback loop from agencies and cloud service providers;
- Requiring that members of the FedRAMP Joint Authorization Board are technical experts; and
- Requiring transparency for any foreign interest or control of an independent assessment service.
Also last week, the House voted to approve the Chai Suthammanont Remembrance Act of 2022, which was approved by the House Oversight and Reform Committee earlier in September.
The bill, which Rep. Connolly has pushed since the early days of the coronavirus pandemic, would “require the head of each agency to establish a plan relating to the safety of Federal employees and contractors physically present at certain worksites during a nationwide public health emergency declared for an infectious disease,” among other provisions.
“Both of these bills will help ensure that government and the Federal workforce are prepared to serve American communities no matter the context,” Rep. Connolly said last week after the House votes.
“The Chai Suthammanont Act puts employee health and safety at the forefront of government operations during a health emergency and FedRAMP helps agencies adopt cost effective, secure, and nimble cloud technologies so agencies can serve the public anywhere at any time,” he said. “I am grateful to my colleagues on both sides of the aisle who voted to prioritize the wellbeing of our Federal workforce and modernizing our federal information technology systems.”