Bipartisan Bill Aims to Codify and Reform FedRAMP

A pair of House Oversight and Reform Committee lawmakers introduced legislation this week that aims to codify the Federal Risk Authorization Management Program, or FedRAMP, and ultimately speed up federal cloud migration with more funding and a mandate to reuse authorizations.

Rep. Gerry Connolly, D-Va., who chairs the Subcommittee on Government Operations and introduced the FedRAMP Authorization Act of 2019 with ranking member Mark Meadows, R-N.C., said the bill will reduce redundancies and streamline the program to improve agencies’ modernization efforts. 

For industry products to be used by federal agencies, vendors must put their systems through a security evaluation to receive an authority to operate in the government. Operating within the General Services Administration, FedRAMP intended to standardize and speed up the certification process and could grant provisional ATOs to be used across federal entities. 

But what was only meant to take about six months and cost around $250,000 has some vendors spending much more and waiting years for approval—even after they’ve received certification from other agencies. 

“[FedRAMP] continues to suffer from a lack of agency buy-in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Connolly said.To combat that issue, he and Meadows revamped legislation that stalled in 2018. The bill would codify each organization’s role and appropriate $25 million for the FedRAMP program management office and the Joint Authorization Board to “address huge increases in federal cloud IT needs.” 

The PMO and JAB are also responsible for developing metrics to evaluate the quality of the security assessments used in FedRAMP authorizations, while the Office of Management and Budget will have to submit an annual report to Congress on the program’s progress. 

But the meat of the bill encourages agencies to reuse FedRAMP authorized cloud products. When agencies are working to issue an ATO for cloud-based products, it requires them to check the repository that the FedRAMP PMO will build for a pre-existing one and to reuse the existing security assessments as much as possible. 

Agencies must also provide the PMO with an ATO letter any time they wish to issue a new authority. The office is required to track all cloud-service offerings governmentwide. 

The bill also establishes a Federal Secure Cloud Advisory Committee to provide a collaborative problem-solving environment between agencies and industry stakeholders.

“It’s critical that we streamline processes for [FedRAMP] to cut costs, improve efficiency, and better facilitate modernization for their IT systems,” Meadows said. 

This week, GSA announced an Ideation Challenge, which enables stakeholders across industry and government to submit “innovative, actionable ideas,” to improve the FedRAMP process.