Rep. Gerry Connolly, D-Va., introduced the Federal Risk and Authorization Management Program Reform Act July 26 to streamline the government’s cloud computing authorization process and address agency compliance issues with the program.
“Despite its best efforts, the Federal Risk and Authorization Management Program (FedRAMP) continues to suffer from a lack of agency buy in, a lack of metrics and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Connolly said in a news release.
“The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program and provides FedRAMP customers with the certainty and process reforms they have long sought.”
FedRAMP was started in December 2011 to assess the security of cloud service providers and enable greater shared services through the cloud between agencies. To work with a federal agency, all cloud service providers must have a FedRAMP authorization issued by the Joint Authorization Board.
Early on, the time and monetary investments required to achieve authorization, along with agency reluctance to accept each others' authorizations, proved problematic for some, though the program worked to implement more expedited versions like FedRAMP Tailored to improve the process.
The FedRAMP Reform Act, currently cosponsored by House Oversight and Government Reform Committee Chairman Mark Meadows, R-N.C., would make six changes to the authorization program:
- Define roles and responsibilities of federal agencies and third-party assessment providers — The Office of Management and Budget would be responsible for issuing guidance to federal agencies while the General Services Administration and the FedRAMP Program Management Office would be responsible for issuing guidance and templates to cloud service providers.
- Address agency compliance with FedRAMP — OMB would be responsible for ensuring that agencies complied with any FedRAMP guidance.
- Establish implementation metrics — The PMO would be required to adopt metrics regarding the time, cost and quality of the FedRAMP assessments, and OMB and GSA would then need to submit an annual report to Congress on the performance of the PMO.
- Encourage automation in the FedRAMP process.
- Establish a presumption of adequacy — Provisional authorities to operate issued by the PMO would have to be adequate for federal agencies, unless the agency can document a disagreement with the certification.
- Require agencies to report their authorities to operate — When an agency issues an authority to operate, it must provide a copy of that authority to the PMO so that they can be tracked on a governmentwide basis.
“As we go forward it is critical that the FedRAMP program, including [the Joint Authorization Board], have the resources they need to continue to grow to meet the needs of organizations considering and currently providing cloud-based services to the federal government," said Michael Carter, vice president for FedRAMP assurance at Coalfire, a third-party assessor.
“This legislation will do that while driving efficiencies and ensuring appropriate cybersecurity controls exist for agencies migrating to cloud-based services. We look forward to working with Representatives Connolly and Meadows on this important legislation and thank them for their commitment to cloud security.”