FedRAMP reform legislation appended to National Defense Authorization Act 

The previously drafted bill was included in section 5921 of the NDAA, which was released Tuesday evening.
Early morning fog envelopes the U.S. Capitol dome behind the U.S. House of Representatives. (Photo by Samuel Corum/Getty Images)

Congressional lawmakers have bundled legislation to reform the FedRAMP cybersecurity authorization program for cloud vendors into the National Defense Authorization Act.

The previously drafted bill was included in section 5921 of the NDAA, which was released Tuesday evening by the House and Senate Armed Services committees.

It comes after the legislation was hotlined in the Senate as part of an effort led by Sen. Gary Peters, D-Mich. The latest iteration of the Federal Risk and Authorization Management Program (FedRAMP) bill passed the House in September after being an uphill battle for almost six years led by Rep. Gerry Connolly, D-Va.

Late last month, FedScoop reported that the legislation had gained momentum in Congress and was likely to pass the upper chamber in the coming weeks.


One of the most consequential aspects of the FedRAMP reform bill is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used in an agency without additional oversight or verification.

FedRAMP is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data.

The House is first expected to vote and pass the NDAA this week, followed by the Senate next week, before heading to President Joe Biden’s desk for final approval.

Pressure to update FedRAMP has mounted amid the federal government’s broad, sweeping migration to the cloud. The certification program was first established in 2011 to provide a standardized governmentwide approach to cloud computing services authorization and security assessments.

If it passes into law, the FedRAMP Authorization Act would ensure FedRAMP has a board to enhance and speed up the program. It would create a separate cloud advisory committee consisting of five representatives from cloud services companies, two of which must come from small cloud vendors.

Latest Podcasts