Rep. Gerry Connolly, D-Va., said today that he introduced legislation – the Federal Risk and Authorization Management Program (FedRAMP) Reform Act – which would codify the FedRAMP program in Federal law and address what the congressman said are shortcomings of the program, including the slow pace of implementing standardized practices and realizing efficiencies in the certification process.
FedRAMP is a Federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, that began its initial operations in 2012. The program’s administrators say it now covers more than five million assets of cloud service providers and that one-third of the world’s internet traffic travels through the program.
In addition to codifying FedRAMP into law, Rep. Connolly’s bill would:
- Designate the Office of Management and Budget (OMB) responsible for issuing guidance to Federal agencies to implement FedRamp principles;
- Designate the General Services Administration (GSA) and its FedRAMP Program Management Office (PMO) responsible for day-to-day implementation of FedRAMP and issuing guidance and templates to cloud service providers and third-party assessment organizations that facilitate the FedRAMP authorization process;
- Designate the Joint Authorization Board (JAB) responsible for reviewing security assessments and issuing provisional authorization to operate; and
- Designate third party assessment organizations responsible for assessing, validating, and attesting to quality and compliance of security materials provided by cloud service providers.
On the compliance front, the bill would require OMB to ensure that Federal agencies are in compliance with any guidance or other requirements related to FedRAMP. Rep. Connolly’s office said that OMB, as the “agency responsible for government-wide IT policy,” is “well suited to ensure compliance with all IT related statute and policies, including FedRAMP.”
The measure would also require the FedRAMP PMO to adopt “metrics regarding the time, cost and quality of assessments necessary for completion of the FedRAMP authorization process in a manner that can be consistently tracked over time,” and require OMB and GSA to submit annual reports to Congress on the status and performance of the PMO toward meeting those metrics. It would also require the PMO to continuously evaluate available automation procedures available for FedRAMP implementation.
According to Rep. Connolly’s announcement, the bill would also improve the current FedRAMP process by establishing a “presumption of adequacy” stating that any provisional authorization to operate issues by the JAB shall be considered adequate by agencies unless an agency documents its disagreement with the certification. That provision “will help eliminate redundant processes such as agencies re-doing security assessments that have been facilitated by third party assessment organizations and certified by the JAB,” the congressman’s office said.
Finally, the bill will require agencies to report their authorizations to operate (ATO) to the PMO, and will require the PMO to track and assess all ATOs on a government-wide basis. “This will provide OMB and the FedRAMP PMO with visibility into cloud systems in use throughout the federal government,” Rep. Connolly’s office said.
“Despite its best efforts, the Federal Risk and Authorization Management Program (FedRAMP) continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Rep. Connolly said in a statement.
“The FedRAMP Reform Act clarifies the responsibilities of Federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program, and provides FedRAMP customers with the certainty and process reforms they have long sought,” he said.