Today, Congressman Gerry Connolly, Chairman of the Government Operations subcommittee, and Mark Meadows, Ranking Member of the Government Operations subcommittee, introduced bipartisan FedRAMP reform legislation. The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2019 would codify FedRAMP, address agency compliance issues, provide funding for the FedRAMP Project Management Office (PMO) and Joint Authorization Board (JAB), and establish new metrics for proper implementation.
“The Federal Risk and Authorization Management Program (FedRAMP) continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” said Connolly. “Our bipartisan bill will streamline the FedRAMP process and reduce the redundancies in federal cloud migration, so federal agencies can modernize their IT and realize cost-efficiencies.”
“It’s critical that we streamline processes for the Federal Risk and Authorization Management Program (FedRAMP) to cuts costs, improve efficiency, and better facilitate modernization for their IT systems. I’m grateful to work with Gerry Connolly on this bipartisan legislation that will do just that,” said Meadows.
FedRAMP was developed to provide a government-wide program that would offer a standardized approach to security assessment, authorization, and monitoring for cloud products and services and bring the federal government into the 21st century. Unfortunately, the process has been slow to implement standardized practices and realize efficiencies in the certification process
Following agency and stakeholder input, Connolly and Meadows incorporated changes to the 2018 legislation. The new legislation would do seven things:
1. Codify the Federal Risk and Authorization Management Program (FedRAMP) and defines the roles and responsibilities of federal agencies and independent assessment organizations to ensure appropriate security of cloud-based information technology (IT).
- Codifies the Office of Management and Budget’s (OMB’s) responsibility for ensuring agency compliance with the Act and other FedRAMP guidance and requirements.
- Codifies the General Services Administration’s (GSA’s) responsibility for developing a process for secure assessments, adjudicating disagreements between the FedRAMP Joint Authorization Board and cloud service providers, and overseeing the FedRAMP Program Management Office.
- Codifies the FedRAMP Program Management Office (PMO) within GSA. The FedRAMP PMO is responsible for day-to-day implementation of FedRAMP, including issuing guidance and templates to cloud service providers and independent assessment organizations to facilitate the authorization process, authorizing existing agency ATOs that have met FedRAMP requirements, and ensuring continuous improvement of the program through initiatives such as increasing the automation of security assessments.
- Codifies the Joint Authorization Board’s (JAB’s) responsibility for reviewing security assessments and issuing provisional authorizations to operate for cloud service offerings.
- Codifies membership of the JAB as three security experts, one member from each of the following agencies: the Department of Defense, Department of Homeland Security, and the General Services Administration.
- Codifies the role of independent assessment organizations (all private sector) of assessing, validating, and attesting to the quality and compliance of security materials provided by cloud service providers seeking to contract their products and services with the federal government.
2. Reduces duplication of security assessments by establishing a presumption of adequacy.
- Includes language that any cloud service security assessment underlying a FedRAMP authorization, issued by either the JAB or the FedRAMP PMO, shall be considered adequate for all federal agencies.
- Prohibits an agency from relitigating a security assessment will help eliminate redundant processes. Under the bill, agencies will no longer be able to re-do assessments that have been facilitated by independent assessment organizations and cleared by the JAB, or authorized by an individual agency and approved by the FedRAMP PMO.
3. Facilitates agency reuse of FedRAMP authorized cloud products and agency compliance with FedRAMP requirements.
- Makes the FedRAMP PMO responsible for issuing examples of security architectures to agencies and cloud service providers to better standardize and replicate secure configurations.
- Makes the FedRAMP PMO responsible for establishing a centralized and secure repository to enable better sharing and reuse of security assessment packages.
- Requires that agencies, when looking to issue an authorization to operate (ATO) for a cloud computing product or service, check the secure repository for an existing P-ATO or FedRAMP authorization, and to the extent practicable, reuse the existing security assessment.
4. Requires agencies to report their authorizations to operate.
- Requires agencies, when issuing an ATO, to provide a copy of the ATO letter to the FedRAMP PMO.
- Requires the FedRAMP PMO to track ATOs for all cloud service offerings government-wide which could enable an increase in the number of FedRAMP authorized products available on the FedRAMP marketplace.
- Provides OMB and the FedRAMP PMO with visibility into cloud systems in use throughout the federal government.
5. Ensures adequate authorization of resources to operate FedRAMP.
- Allows the detail of personnel from other agencies to the JAB and FedRAMP PMO to assist in carrying out their responsibilities.
- Authorizes an appropriation of $25 million for the JAB and FedRAMP PMO to address huge increases in federal cloud IT needs, which is an increase over historical spending levels.
6. Establishes metrics that can be tracked to ensure proper implementation of FedRAMP.
- Requires the FedRAMP PMO and the JAB to develop and adopt metrics regarding the time and quality of security assessments used to issue FedRAMP authorizations.
- Requires OMB to submit an annual report to Congress on the status, efficiency, and effectiveness of FedRAMP, including its progress towards meeting metrics consistently tracked over time. The report also requires an update on progress made to automate FedRAMP processes.
7. Establishes the Federal Secure Cloud Advisory Committee.
- Ensures dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the federal government.
- Provides a forum for industry to bring concerns to GSA and agencies in a public setting that fosters a collaborative problem-solving environment to continuously improve the program.
Text of the legislation is available here.
Connolly and Meadows held a Government Operations subcommittee hearing on FedRAMP on July 17.
