Leadership of the House Government Reform Subcommittee introduced legislation today that would codify into law the FedRAMP (Federal Risk Assessment and Management Program), and take a number of other actions aimed at making the program work more efficiently.
Rep. Gerry Connolly, D-Va., chairman of the subcommittee, and Rep. Mark Meadows, R-N.C., previewed the legislation at a subcommittee hearing last week during which they displayed solid bipartisan support for the measure.
FedRAMP was created in 2011 to standardize security requirements of cloud services used by the government, but according to the bill’s sponsors, the program has been “slow to implement standardized practices and realize efficiencies in the certification process.”
The bill introduced today follows the broad outline of similar legislation introduced last year, with some new wrinkles.
First, the measure would codify into Federal law:
- The FedRAMP program;
- The Office of Management and Budget’s (OMB) responsibility to ensure agency compliance with the new law, and FedRAMP guidance and requirements;
- The General Services Administration’s (GSA) “responsibility for developing a process for secure assessments, adjudicating disagreements between the FedRAMP Joint Authorization Board (JAB) and cloud service providers, and overseeing the FedRAMP Program Management Office (PMO)”;
- The location of the FedRAMP PMO within GSA;
- The responsibility of the FedRAMP JAB for reviewing security assessments and issuing provisional authorizations to operate (ATO) for cloud service offerings;
- The membership of JAB as three security experts – one each from GSA, the Defense Department (DoD), and the Homeland Security Department (DHS); and
- The role of private sector “independent assessment organizations … of assessing, validating, and attesting to the quality and compliance of security materials provided by cloud service providers seeking to contract their products and services with the Federal government.”
The legislation also would:
- Reduce duplication of security assessments by establishing a presumption of adequacy, including “language that any cloud service security assessment underlying a FedRAMP authorization, issued by either the JAB or the FedRAMP PMO, shall be considered adequate for all federal agencies”;
- Facilitate agency reuse of FedRAMP authorized cloud products, and agency compliance with FedRAMP requirements, by, among other steps, requiring agencies to check for existing ATOs and authorizations, and to reuse existing security assessments;
- Require agencies to report their ATOs to the FedRAMP PMO, and require the PMO to track ATOs for all cloud service offerings governmentwide “which could enable an increase in the number of FedRAMP authorized products” available in the marketplace;
- Authorize an appropriation of $25 million for the JAB and FedRAMP PMO “to address huge increases in Federal cloud IT needs, which is an increase over historical spending levels”;
- Allow the detail of personnel from other agencies to JAB and the FedRAMP PMO to assist in carrying out their responsibilities;
- Require JAB and the FedRAMP PMO to develop metrics for the time and quality of security assessments used to issue FedRAMP authorizations, and issue related reports to Congress;
- Establish the Federal Security Cloud Advisory Committee that would ensure dialogue among “GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the federal government,” and provide a forum for industry to bring concerns to GSA and Federal agencies “in a public setting that fosters a collaborative problem-solving environment to continuously improve the program.”
FedRAMP “continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” said Rep. Connolly in announcing the legislation. “Our bipartisan bill will streamline the FedRAMP process and reduce the redundancies in federal cloud migration, so federal agencies can modernize their IT and realize cost-efficiencies,” he said.
“It’s critical that we streamline processes for the Federal Risk and Authorization Management Program (FedRAMP) to cuts costs, improve efficiency, and better facilitate modernization for their IT systems. I’m grateful to work with Gerry Connolly on this bipartisan legislation that will do just that,” said Rep. Meadows.