A bipartisan group of lawmakers introduced a bill Tuesday that would codify the Federal Risk and Authorization Management Program to help agencies more quickly adopt cloud services.
The Federal Secure Cloud Improvement and Jobs Act would further require the General Services Administration (GSA) to begin automating FedRAMP security assessments and reviews within a year and continuously monitor cloud computing products and services.
The legislation is similar to the FedRAMP Authorization Act proposed by Rep. Gerry Connolly, D-Va., which passed the House for the fourth time in January but has sat in the Senate Homeland Security Committee since.
Legislators proposed the Senate bill on the heels of Microsoft, which provides cloud services to multiple federal agencies, announcing that Russia-backed hackers have relentlessly targeted cloud service providers (CSPs) and others this summer.
“Cloud-based systems have already shown they can greatly improve government efficiency and save taxpayer dollars, but we must ensure that the technology is safe from relentless cyberattacks,” said Sen. Gary Peters, D-Mich., one of the legislation’s four sponsors. “This important bipartisan bill will make sure that agencies can procure cloud-based technology quickly while ensuring these systems, and the information they store, are secure.”
Both bills would see the FedRAMP Program Management Office (PMO) establish and track metrics gauging the time and quality of its assessments, as well as fund the program to the tune of $20 million annually. Both would also establish a board prioritizing security assessments of cloud services, but the FedRAMP Board proposed in the new legislation would have more of an advisory role than the existing Joint Authorization Board (JAB) codified in Connolly’s.
The former would consist of cloud computing, cybersecurity, privacy and risk management experts from GSA and the Defense and Homeland Security departments, whereas the JAB would consist solely of cloud computing experts from those agencies.
Both bills would also establish a Federal Secure Cloud Advisory Committee to improve communication between agencies and CSPs, but the new legislation requires it to be filled within 90 days — as opposed to 30 days in Connolly’s.
“This bipartisan legislation follows our House-passed FedRAMP Authorization Act and brings us one step closer to reforming, streamlining and codifying this critical cybersecurity regime for federal cloud technologies,” Connolly told FedScoop. “I thank Chairman Peters for his commitment and collaboration on this issue.”
The language of the new bill is consistent with that offered by the House in an amendment to the National Defense Authorization Act that would codify FedRAMP and would still allow the FedRAMP Board to grant provisional authorizations like the JAB, according to a Peters aide.
By codifying FedRAMP lawmakers hope to reduce program costs, improve reuse of program authorities to operate (ATOs), strengthen cybersecurity and create more jobs at CSPs, the aide said.
Reps. Josh Hawley, R-Mo., Maggie Hassan, D-N.H., and Steve Daines, R-Mont., also sponsored the legislation.
“It’s critical that federal agencies have access to the safest and newest cloud-based technology to ensure the government is functioning efficiently and that important information is kept secure,” Hawley said in a statement. “This legislation accomplishes those crucial tasks while also creating good-paying private sector jobs.”