Could FedRAMP Approvals Be Used to Buy All Government Technology?


The New Democrats Coalition pushes the government to adopt shared technology certifications and a national breach notification standard.

A coalition of moderate House Democrats wants to expand a governmentwide security certification process for cloud computing to all types of government information technology, according to a white paper released Thursday.

The Federal Risk and Authorization Management Program, or FedRAMP, allows companies that provide cloud computing services, such as email and data storage, to sell their services across the federal government once they’re certified by a single agency.

The proposal from the New Democrat Coalition’s Cybersecurity Task Force would expand that model to non-cloud IT services.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The proposal jibes with a broad goal in President Donald Trump’s May cybersecurity executive order, which sought to make cybersecurity more of a shared responsibility across government with particular agencies taking the lead where they have specialized knowledge or skills.

Tech officials have long sought to raise the number of shared technology services and authorities across government but those plans have frequently been stymied—either because of unique requirements at different agencies or because agencies are hesitant to take on responsibilities outside their borders because they’ll also shoulder the blame if something goes wrong.

The FedRAMP for non-cloud plan is one of roughly two dozen proposals in the New Democrats’ first cybersecurity white paper release. Other proposals include creating National Guard cyber support teams that can assist during state and local cyber crises and promoting basic cybersecurity skills in elementary through high schools.

Another proposal would create a national standard for when companies must notify consumers about a data breach. Breach notification standards currently vary from state to state. Privacy and security advocates have been wary of a national standard because it might roll back stronger state standards.

Most of the proposals are non-controversial and reflect long-standing cyber priorities, such as encouraging information sharing about cyber threats between government and industry.

The task force co-chairs, Reps. Derek Kilmer, D-Wash., Kathleen Rice, D-N.Y., and Josh Gottheimer, D-N.J., previously urged the government’s personnel office to update its policies to allow in more cyber pros who lack four-year degrees.

The New Democrats describe themselves as generally moderate and in favor of fiscal responsibility.  

Other proposals from Thursday’s’ white paper are to:

  • Update legal frameworks so the government can more easily declassify cyber threat information and share it with the private sector.
  • Create a national service program that pays back student loans for science, technology, engineering and math graduates who work in cyber and technology positions for the federal government.
  • Establish a federal loan guarantee program for small businesses to purchase cybersecurity technology and services.
  • Make it easier for federal agencies to pay for employees to get cybersecurity certifications.