With NDAA Exclusion, Proponents of FedRAMP Modification Are Down But Not Out

Mark Van Scyoc/Shutterstock

One supporter notes Congress is not the only path to success and is also counting on an incoming Biden administration to reshape the program.

This year’s National Defense Authorization Act will not establish the General Services Administration’s cloud security certification program in statutes or pressure agencies to accept its centralized determinations. Supporters of a streamlining effort to encourage greater and faster cloud adoption by agencies are looking ahead to next year.

The final NDAA is expected to pass the House Tuesday afternoon and move onto the Senate without language to revamp GSA’s Federal Risk Authorization Management Program.

"It is critical Congress codify the FedRAMP process into law to ensure its effectiveness in certifying the expertise needed to migrate to the cloud, and eliminate any costly duplicative or outdated technology,” Rep. Gerry Connolly, D-Va. told Nextgov. “Enshrining the FedRAMP process as law will remain a priority as we head into the new Congress."

Through FedRAMP, cloud service providers can obtain certificates of security through a joint authorization board that theoretically pre-approves them to fulfill contracts across the government. But individual agencies have their own needs and security reviews, potentially creating more work for prospective vendors.

Connolly introduced the FedRAMP Authorization Act back in July 2019. The bill would deliver a lot of what industry has been asking for in the way of reciprocity for security validations from one agency to another. There shall be a “presumption of adequacy” regarding the JAB’s authorization to operate, reads the legislation’s instruction to the heads of federal agencies. 

The bill also calls for the GSA administrator to hire staff as needed for a program management office toward automating the review process and establishing continuous monitoring. 

But after initially passing the House in February, it was referred to the Senate Homeland Security and Governmental Affairs Committee where it languished for months. Then the House voted again to pass it as an amendment to its version of the NDAA and supporters hoped it had found its way to becoming law. 

"Now it looks like it’s in limbo and unlikely to move forward in the 116th Congress,” Matthew Cornelius, executive director of the Alliance for Digital Innovation, told Nextgov.

The House receded, according to lawmakers’ release Thursday of the NDAA conference report, which offered no explanation.

Cornelius, who previously served as a cybersecurity and technology advisor at both GSA and the Office of Management and Budget, said it was not his sense that there were any substantive disagreements over the bill, but competing priorities ultimately led to its removal from the NDAA. 

“We certainly encouraged [the Senate Homeland Security and Governmental Affairs Committee] to take it up but, Chairman [Ron Johnson, R-Wis.], he picks what goes on the docket. They had other priorities and you know, that happens to hundreds of bills throughout every single Congress.”

As a result, there were no hearings in the Senate and those members reasonably want to have a robust understanding of the legislation, Cornelius said.

While the FedRAMP Authorization Act’s chances are dimming this Congress, its proponents are resolved to continue making their case and don’t see legislative avenues as the be all end all.

“We'll come back and work with the House and the Senate in the 117th, try to get some movement there, address any concerns that the Senate might have and see if we can find a compromise version that can move starting in January,” Cornelius said. “Even without legislation, you know, we've also pushed on OMB and GSA and the CIO Council to do a full review and reissue the almost 10-year-old federal memo” that put the program in place.

The Alliance for Digital Innovation, which represents companies from across the cloud computing space, and other supporters will continue that push into the next administration, Cornelius said.

“There's still a lot of steps that OMB and a President-elect Biden administration can take to improve the operations of the program to address some of the issues that agencies and industry have identified,” he said. “We would certainly push for President-elect Biden's folks and whoever he brings into GSA, into the federal CIOs office to make this a first-tier priority.”