Bill Would Force Agencies to Honor FedRAMP Authorizations

Eight years after the creation of the Federal Risk and Authorization Management Program, or FedRAMP, the program is still evolving and one lawmaker wants to push that along.

Rep. Gerry Connolly, D-Va., Thursday introduced the FedRAMP Reform Act of 2018, which looks to streamline the authorization process by encouraging agencies to reuse existing authorities to operate, or ATOs.

The FedRAMP program management office validates ATOs, which certify a base security level for cloud IT systems, but that process is often lengthy and expensive for third-party vendors seeking authorization. FedRAMP has moved to shorten the time and lessen the expense, but it remains an arduous process.

“Despite its best efforts, the Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy in, a lack of metrics and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Connolly said. “The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program and provides FedRAMP customers with the certainty and process reforms they have long sought.”

The legislation codifies the program as law and clearly establishes the roles and responsibilities of other agencies and offices. For example, the Office of Management and Budget is responsible for setting high-level guidance for the program management office and agencies, while the General Services Administration—which houses the FedRAMP PMO—is responsible for day-to-day activities.

Connolly puts the onus on OMB to ensure that agencies are complying with its guidance and getting FedRAMP certifications before turning on new systems. The bill also calls for FedRAMP, OMB and GSA to develop and stick to metrics for tracking implementation across government.

But the likely the most impactful part of the legislation requires agencies to report their ATOs to FedRAMP, which will give the program office better situational awareness and help the program reach one of its main goals: authorize once, use many.

Rather than require each agency and program to go through its own authorization process for each system, FedRAMP was designed to allow agencies to reuse ATOs for the same vendors and products, saving time and money. This hasn’t always been realized, as many agencies want to do their own due diligence when it comes to security.

In that same vein, Connolly’s bill would force agencies to default to using ATOs issued by FedRAMP’s in-house Joint Authorization Board.

“Any provisional authorization to operate issued by the Joint Authorization Board shall be considered to be presumptively adequate by agencies, subject to technical or programmatic rebuttal by an agency that disagrees with adequacy or sufficiency of the certification,” the bill reads.

However, it clearly states that none of this abdicates the responsibility of agency security officers for the ultimate security of their systems.

The legislation also requires annual reports to Congress on the “status and performance” of the FedRAMP PMO and develop processes to continuously review and update the program’s procedures.

GSA officials declined to comment on pending legislation.