FedRAMP reform measures enacted as Biden signs NDAA into law
President Joe Biden has signed legislation that will reform the FedRAMP cybersecurity authorization program for cloud vendors by allowing FedRAMP-authorized tools to be used in any federal agency without additional oversight or verification.
Language from the FedRAMP Authorization Act was included in the National Defense Authorization Act (NDAA) enacted Friday after the FedRAMP bill was hotlined in the Senate earlier this year as part of an effort led by Sen. Gary Peters, D-Mich.
One of the most consequential aspects of the FedRamp reform language is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used by any federal agency without further checks.
FedRAMP is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data.
The latest iteration of the Federal Risk and Authorization Management Program (FedRAMP) bill passed the House in September after an uphill battle for almost six years led by Rep. Gerry Connolly, D-Va.
In a statement to FedScoop, Chairman of the Senate Homeland Security and Governmental Affairs Committee Sen. Gary Peters said the legislation would make it easier for agencies to quickly acquire cloud states and also protect the tremendous amount of sensitive data held by departments from cyberattacks.
“By helping federal agencies quickly and securely adopt cloud-based systems, this program will also create good-paying jobs, and incentivize cloud companies to create more effective products,” Peters said.
Pressure to update FedRAMP has mounted amid the federal government’s broad, sweeping migration to the cloud. The certification program was first established in 2011 to provide a standardized governmentwide approach to cloud computing services authorization and security assessments.
Federal government IT specialists who helped create and build FedRAMP when it was first formed in 2011 cheered the changes made in the reform bill.
“I remember sitting in a room with the Federal CIO at the time,” Salesforce Principal Solutions Engineer and former FedRAMP Director at GSA Matt Goodrich wrote in a post on LinkedIn.
Goodrich recalled discussions in which then-Federal CIO Vivek Kundra asked how security of cloud services could be certified, and senior NIST computer scientist Peter Mell suggested having the Department of Defense, the Department of Homeland Security and the General Services Administration jointly authorize them.
“[T]hat was how FedRAMP started … very organic at how do we solve a simple problem,” Goodrich noted on the social networking site.
The FedRAMP Authorization Act bill will ensure FedRAMP has a board to enhance and speed up the program. It would also create a separate cloud advisory committee consisting of five representatives from cloud services companies, two of which must come from small cloud vendors.
In addition, the 15-strong advisory committee would also contain one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from federal government agencies would also sit on the committee.
Commenting on the enactment of the legislation, Hettinger Strategy Group founder and former Staff Director of the House Oversight Government Operations Subcommittee Mike Hettinger said: “This is a significant victory for the broader federal cloud computing community and I am really glad to see it get done this year. Major congratulations go to Rep. Connolly, Sen. Peters and their teams for never giving up the fight to enact this important and meaningful cybersecurity reform legislation.”
He added: “Most bills that hang around for 5 years and hit the sorts of roadblocks that this bill hit, eventually just die on the vine. Somehow, we were able to get this one across the line.”
