House Passes Legislation to Provide Statutory Authority for GSA Federal Risk and Authorization Management Program

The House has passed legislation by voice vote to codify the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration (GSA) into law. The legislation also establishes a board to conduct security assessments into cloud computing services and to ensure cloud operators meet FedRAMP security guidelines.

Congressman Gerry Connolly(D-VA), Chairman of the Government Operations Subcommittee, and Mark Meadows (R-NC), Ranking Member of the Government Operations Subcommittee, introduced the FedRAMP Reform legislation to provide a government-wide program to standardize security assessment, authorization, and monitoring for cloud products and services.

“The Federal Risk and Authorization Management Program (FedRAMP) continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” said Connolly upon introduction of the measure. “Our bipartisan bill will streamline the FedRAMP process and reduce the redundancies in federal cloud migration, so federal agencies can modernize their IT and realize cost-efficiencies.”

The legislation, H.R. 3941, calls upon GSA to establish a government-wide program that “provides the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.” It requires agencies meet GSA requirements.

The legislation creates a Joint Authorization Board to conduct security assessments of cloud computing services and issue provisional authorizations to operate to cloud service providers that meet FedRAMP security guidelines. Under the bill, GSA must determine the requirements for certification of independent assessment organizations and establish the Federal Secure Cloud Advisory Committee.

The introductory lawmakers hope the legislation will achieve seven objectives:

1.       Codify the Federal Risk and Authorization Management Program (FedRAMP) and defines the roles and responsibilities of federal agencies and independent assessment organizations to ensure appropriate security of cloud-based information technology (IT).

2.       Reduces duplication of security assessments by establishing a presumption of adequacy.

3.       Facilitates agency reuse of FedRAMP authorized cloud products and agency compliance with FedRAMP requirements.

4.       Requires agencies to report their authorizations to operate.

5.       Ensures adequate authorization of resources to operate FedRAMP.

6.       Establishes metrics that can be tracked to ensure proper implementation of FedRAMP.

7.       Establishes the Federal Secure Cloud Advisory Committee.

The legislation passed the House by voice vote and heads to the Senate for consideration.