Bill to Codify FedRAMP Set for Vote in Senate Committee


If passed, agencies would have to explain their reasons for rejecting previously authorized cloud products or services.

The Senate Homeland Security and Governmental Affairs Committee is about to vote on a bipartisan bill seeking to expedite agencies’ use of secure clouds through the General Services Administration’s Federal Risk and Authorization Management Program, or FedRAMP. 

FedRAMP requires vendors of cloud products or services to obtain security certifications from external third-party assessors before authorizing them to operate on their systems. There is also a Joint Authorization Board made up of various federal officials that can validate and approve vendors’ certifications. Without impinging on the authority of agency heads, the Senate bill calls for a presumption of adequacy for vendors that have already been authorized through the system—an attempt to streamline the process. 

S. 3099, the Federal Secure Cloud Improvement and Jobs Act of 2021, is on the docket for a committee markup Wednesday along with a number of other cybersecurity bills, according to a committee press release. It is noted in the business meeting agenda as the Federal Risk and Authorization Management Act of 2021. The FedRAMP Authorization Act, which is almost identical to the Senate bill passed the House in January and was included in the House-passed National Defense Authorization Act of 2021.

This time around, following a series of broad attacks on the federal enterprise leveraging products from IT management firm SolarWinds and Microsoft resellers, senators are noting increased risks along with benefits associated with cloud products and services. 

“The legislation comes after an announcement from Microsoft, which provides cloud services to multiple federal agencies, that Russia-backed hackers have been relentlessly targeting cloud service companies and others since this summer,” reads a press release Tuesday highlighting the bill’s introduction.

The bill is sponsored by Committee Chairman Gary Peters, D-Mich., with support from Sens. Josh Hawley, R-Mo., Maggie Hassan, D-N.H., and Steve Daines, R-Mont. 

“Cloud-based systems have already shown they can greatly improve government efficiency and save taxpayer dollars, but we must ensure that the technology is safe from relentless cyberattacks,” Peters said. “This important bipartisan bill will make sure that agencies can procure cloud-based technology quickly, while ensuring these systems–and the information they store–are secure. It will also help companies that provide these technologies grow and create jobs, and incentivize them to provide innovative products to bolster our nation’s competitiveness in this space.”

Both the House and Senate bills call for the authorization of $20 million for FedRAMP’s operation and the creation of a Federal Secure Cloud Advisory Committee to be chaired by the GSA administrator. The administrator would appoint its members, which would include representatives from industry to advise government leaders on “technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.”   

The committee would not have to abide by the rules of the Federal Advisory Committee Act, which requires transparency and open participation from the public. However the bills would require a public comment process before the GSA issues any new guidance on FedRAMP.

Under both pieces of legislation, agency heads would have to submit their cloud procurement policies to the director of the Office of Management and Budget. Under the Senate bill, agencies that decide to reject a previously approved product or service would have to explain why.

“Upon completing an assessment or authorization activity with respect to a particular cloud computing product or service, if an agency determines that the information and data the agency has reviewed … is wholly or substantially deficient for the purposes of performing an authorization of the cloud computing product or service, the head of the agency shall document as part of the resulting FedRAMP authorization package the reasons for this determination,” the bill reads. 


NEXT STORY: Zero-trust has a branding problem