The House of Representatives recently passed The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2019. This legislation would codify the FedRAMP Program at the General Services Administration (GSA). It would authorize GSA to establish a government-wide program to provide a standardized approach to security assessment and authorization for cloud computing products and services. There is no Senate comparable bill at this time.
Background and Need for Legislation
The Office of Management and Budget established FedRAMP in December 2011 to provide joint authorizations and continuous security monitoring services for cloud services for all federal agencies. According to the FedRAMP Program Management Office (PMO), the “primary objective is to provide a re-usable security authorization model by which Agencies can obtain safe, secure cloud service technologies to help modernize Federal IT”.
By codifying the FedRAMP program at GSA, H.R. 3941 would continue this government-wide and standardized approach to security assessment and authorization for cloud computing products and services in order to help agencies modernize their information technology systems. The legislation would reduce duplication of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification. This presumption of adequacy means that the cloud service offering has met baseline security standards established by the program and should be considered approved for use across the federal government. The bill would also require GSA to work toward automating the FedRAMP process, which will lead to further standardization in security assessments and continuous monitoring of cloud services, increasing the efficiency for providers and agencies.
H.R. 3941 also requires FedRAMP to be more transparent. The bill requires the FedRAMP PMO and the JAB to develop and adopt metrics regarding the time and quality of security assessments used to issue FedRAMP authorizations. It also requires OMB to submit an annual report to Congress on the status, efficiency, and effectiveness of FedRAMP, including its progress towards meeting metrics consistently tracked over time and any progress made to automate FedRAMP processes.
The bill also establishes the Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the federal government. This committee will also provide a forum for industry to bring concerns to GSA and agencies in a public setting that fosters a collaborative problem-solving environment to continuously improve the program.
CBO Cost Estimate
H.R. 3941 would authorize the appropriation of $20 million annually for this program. Assuming appropriation of the specified and estimated amounts, CBO estimates that in total, implementing H.R. 3941 would cost $100 million over the 2020-2025 period, primarily to carry out the Federal Risk and Authorization Management Program.
For more information, contact:
Deep Water Point Legislative Affairs Lead
Contact Deep Water Point Today
to Increase Your Federal Business Win Probability