The House passed a bill that would codify and fund the program for authorizing and continuously monitoring cloud service offerings across agencies, while also introducing compliance reforms and metrics.
In 2011, the Office of Management and Budget established the Federal Risk and Authorization Management Program (FedRAMP) as a requirement for agencies. But the Government Accountability Office found this past December that 15 of 24 Chief Financial Officers Act agencies didn’t always use FedRAMP, and OMB didn’t “effectively monitor” their compliance.
“[T]here is still a lack of reciprocity across agencies in taking advantage of FedRAMP-authorized products,” said Rep. Gerry Connolly, D-Va., the bill’s sponsor in his floor statement. “Without reciprocity, agencies end up duplicating the assessment process of cloud service offerings leading to inefficiencies for both the federal government and cloud service providers.”
The bill would require the FedRAMP Program Management Office (PMO) and Joint Authorization Board to develop metrics around time and quality of security assessments. OMB would track those metrics over time and report progress annually to Congress.
Additionally, the bill would establish a 15-member Federal Secure Cloud Advisory Committee to coordinate the acquisition of cloud products that includes cybersecurity and procurement officials from the General Services Administration, CFO Act agencies and industry.
The Alliance for Digital Innovation, an industry association, said the creation of the committee “will establish a transparent, accountable body of experts from government and industry that will provide recommendations to the administrator of GSA and federal agencies on how to improve FedRAMP and agency cloud authorizations.”
The primary improvement industry would like to see is automation of FedRAMP risk assessments and security authorizations, and the PMO is targeting quick wins on that front in fiscal 2020. Still, the bill requires GSA to work toward automating FedRAMP processes.
If passed by the Senate and signed into law by President Trump, whose administration has expressed continued support for FedRAMP, the program would receive $20 million annually. The Congressional Budget Office estimated implementation would only cost $100 million between 2020 and 2025 — $3 million of that going toward the advisory committee.