Rep. Gerry Connolly, D-Va., introduced a bill Wednesday that would codify and streamline the Federal Risk and Authorization Management Program, better known as FedRAMP.
Connolly, a longtime critic of the cloud vendor authorization process, said that in addition to codifying the program “so it’s not an orphan,” the new bill — the FedRAMP Authorization Act of 2019 — “also tries to address some of the problems we’ve been hearing from industry.” Rep. Mark Meadows, R-N.C., co-sponsored the bill.
“We’ve got to get FedRAMP back to its original purpose,” Connolly said at a Carahsoft cloud event. As it stands, he said, the process is too costly and long for private companies to get certified.
FedRAMP “was designed to be a fast-track process — six months, $250,000 and you’re in,” Connolly explained. “But the problem was, that’s not how it worked out. It went from taking six months to, for some companies, many years, three or four years. And the $250,000, for some companies it became millions,” he said, citing one company for which the process has cost more than $4 million “and counting” as it drags on.
For small and medium-sized business, this can prevent them from doing business with the federal government because they can afford that cost and uncertainty, he said.
Connolly’s bill would create a “presumption of adequacy,” meaning once a cloud vendor is authorized through the FedRAMP process with one agency, it is cleared to work with other agencies under that authorization. Connolly explained it as, “if you get your dance card punched, especially by the JAB, there’s a presumption you’re pretty good to go.” The Pentagon’s Joint Authorization Board (JAB) also approves cloud vendors.
FedRAMP reciprocity and reuse is something that already exists, although it may not happen as much as Connolly or his colleagues in the executive branch would like. He said that when one agency goes to use a FedRAMP-approved cloud platform, “there may be specific items that have to be addressed in addition, but doing the process all over again is duplicative, expensive and defeats the whole purpose, it seems to me.”
The General Services Administration’s Anil Cheriyan, director of the Technology Transformation Services which houses FedRAMP, spoke after Connolly and said reuse of platforms after they’re approved has “grown significantly.” While some products might be used by only one agency, many have been used “well over 50 times.”
Additionally, the bill would create metrics to track the implementation of the program, establish the Federal Secure Cloud Advisory Committee to steer the development of FedRAMP and authorize additional resources fro the program, including personnel and $25 million for the FedRAMP program management office and Joint Authorization Board.
This isn’t Connolly’s first attempt to reform FedRAMP with legislation. In fact, this bill is a revision of the FedRAMP Reform Act of 2018, which he introduced last summer. That bill was referred to committee but never made it out. Connolly has built in agency and stakeholder input from the failed bill in crafting this 2019 bill, his office said in an announcement.
Connolly and Meadows — the chairman and ranking member of the House Oversight Subcommittee on Government Operations, respectively — hosted an oversight hearing last week in which they teased the new bill. During that hearing, federal CIOs requested the FedRAMP program office build more automation into the authorization process. The Department of Defense also announced efforts to increase reciprocity and reuse of cloud platforms that receive a FedRAMP Moderate authorization.
FedRAMP Ideation Challenge
At the event Wednesday, Cheriyan also announced the FedRAMP Ideation Challenge as a way to “get feedback from industry and agencies” on the current FedRAMP process and to ask for “bold, innovative ideas” to reimagine how it could be done.
“This challenge provides FedRAMP’s stakeholders and the cloud security community at large the opportunity to directly inform and contribute ideas in support of a new approach to risk assessments and security authorization for cloud products and services,” the challenge page says.
Unlike other federal challenges, which offer prizes usually in the form of money, this does not. Rather, it’s more like an openly crowdsourced market survey to generate feedback and new ideas.
“More agencies than ever now adopt secure cloud technologies and FedRAMP strives to continuously improve how we support our customers,” acting Director of FedRAMP Ashley Mahan said in a statement. “In an effort to enhance and evolve our program, the FedRAMP PMO seeks to leverage the power and insights of the cybersecurity community.”
Participants have until Aug. 22 to submit feedback and improvement ideas via email to firstname.lastname@example.org.