Senate lawmakers are shortly expected to vote on legislation to reform the FedRAMP authorization program for cloud vendors, FedScoop has learned.
The bipartisan FedRAMP Authorization Act has momentum in Congress and is likely to progress through the upper chamber in the coming weeks, according to two senior policy experts with visibility of the legislation’s progress.
Lawmakers will consider the reform bill after it was earlier this month referred to the Senate Committee on Homeland Security and Governmental Affairs for consideration.
The Federal Risk and Authorization Management Program (FedRAMP) is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data. The latest iteration of the FedRAMP reform bill passed the House in September after being championed for almost six years by Rep. Gerry Connolly, D-Va.
Pressure to update FedRAMP has mounted amid the federal government’s sweeping migration to the cloud. The certification program was first established in 2011 to provide a standardized governmentwide approach to cloud computing services authorization and security assessments.
If it passes into law, the FedRAMP Authorization Act would ensure FedRAMP has a board to enhance and speed up the program. It would create a separate cloud advisory committee consisting of five representatives from cloud services companies, two of which must come from small cloud vendors.
In addition, the 15-strong advisory committee would also contain one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from federal government agencies would also sit on the committee.
One of the most consequential aspects of the reform bill is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used in an agency without additional oversight or verification.
Speaking with FedScoop, Executive Director of MITRE’s Center for Data-Driven Policy Dave Powner said: “The presumption of adequacy clause is a really big deal. It creates a new standard for cloud risk determination and now FedRAMP authorization can be reused without further oversight and agencies can feel safe about not getting penalized.”
“We expect to see a significant uptick in FedRAMP authorization over the coming years thanks to this bill,” Powner added. “The uptick in adoption of cloud security standards would happen even without this FedRAMP legislation but it would definitely be less.”
Small businesses have historically taken issue with the high cost of complying with FedRAMP and requirements for authorization. The reform legislation is intended to respond to such concerns by giving small businesses a voice within the cloud advisory committee and mandating that the committee work to increase the number of FedRAMP authorizations given to cloud products offered by small businesses.
While the FedRAMP reform bill has garnered broad support from industry and the federal IT community, some private sector technologists have raised concerns about the bill’s lack of funding and resources.
One tech industry association leader told FedScoop that “FedRAMP currently gets funded by the acquisition fund of other agencies which is not adequate at all. This bill would be stronger if there were funds and resources attached to it that gave it more teeth to execute its mission.”
Nevertheless, he remained optimistic that additional funds for FedRAMP would be appropriated in the coming years. It is common for federal government programs to be given unfunded mandates, with funding then budgeted for them as and when it is needed and pressure is applied on Congress.
The industry association leader added: “We’re especially excited about the cloud advisory committee because it formalizes the ability for industry to help shape and improve the evolution of FedRAMP especially the cost and complexity of authorization.”