New bill bakes FedRAMP into law

Citing anemic agency interest, duplicative processes and scattershot implementation metrics, Rep. Gerry Connolly (D-Va.) introduced a bill that would reform the Federal Risk and Authorization Management Program, clarifying agency roles, compliance and implementation processes.

Connolly, vice ranking member of the House Committee on Oversight and Government Reform, introduced the FedRAMP Reform Act of 2018 on July 26.

"Despite its best efforts, the Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers," Connolly said in a statement. "The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program, and provides FedRAMP customers with the certainty and process reforms they have long sought."

The FedRAMP process, aimed at helping speed federal agency cloud adoption by standardizing cloud providers' security assessments, has drawn criticism from Connolly and others since it was established in 2012 because the roles and responsibilities of vendors and their sponsoring agencies can be confusing. Providers have also complained that the process is expensive and time consuming.

Connolly's legislation is designed to codify the FedRAMP process and  define roles and responsibilities of both federal agencies as well as third-party assessment organizations.

The bill would formally set the Office of Management and Budget as the responsible entity for issuing guidance to federal agencies to implement FedRAMP principles, while the General Services Administration, and the FedRAMP Program Management Office within that agency, would be responsible for day-to-day implementation of FedRAMP. It would issue guidance and templates to cloud service providers and third-party assessment organizations that facilitate the FedRAMP authorization process.

OMB would be required to ensure agencies comply with FedRAMP. The bill would also set formal metrics for the FedRAMP PMO that track the time, cost and quality of the assessments necessary for authorization.

It would also require OMB and GSA to submit an annual status and performance report to Congress for the FedRAMP PMO.  The PMO would also have to continuously evaluate automation procedures that could potentially speed the process.

Agencies would be required to report their authorities to operate to the PMO, which would use the records to track the documentation across government, which, in turn, would help clarify who has authorized cloud systems.

Editor's note: This article was changed July 30 to correct a mention of the name of the FedRAMP Reform Act.