New bill bakes FedRAMP into law
- By Mark Rockwell
- Jul 27, 2018
Citing anemic agency interest, duplicative processes and scattershot implementation metrics, Rep. Gerry Connolly (D-Va.) introduced a bill that would reform the Federal Risk and Authorization Management Program, clarifying agency roles, compliance and implementation processes.
Connolly, vice ranking member of the House Committee on Oversight and Government Reform, introduced the FedRAMP Reform Act of 2018 on July 26.
"Despite its best efforts, the Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers," Connolly said in a statement. "The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program, and provides FedRAMP customers with the certainty and process reforms they have long sought."
The FedRAMP process, aimed at helping speed federal agency cloud adoption by standardizing cloud providers' security assessments, has drawn criticism from Connolly and others since it was established in 2012 because the roles and responsibilities of vendors and their sponsoring agencies can be confusing. Providers have also complained that the process is expensive and time consuming.
Connolly's legislation is designed to codify the FedRAMP process and define roles and responsibilities of both federal agencies as well as third-party assessment organizations.
The bill would formally set the Office of Management and Budget as the responsible entity for issuing guidance to federal agencies to implement FedRAMP principles, while the General Services Administration, and the FedRAMP Program Management Office within that agency, would be responsible for day-to-day implementation of FedRAMP. It would issue guidance and templates to cloud service providers and third-party assessment organizations that facilitate the FedRAMP authorization process.
OMB would be required to ensure agencies comply with FedRAMP. The bill would also set formal metrics for the FedRAMP PMO that track the time, cost and quality of the assessments necessary for authorization.
It would also require OMB and GSA to submit an annual status and performance report to Congress for the FedRAMP PMO. The PMO would also have to continuously evaluate automation procedures that could potentially speed the process.
Agencies would be required to report their authorities to operate to the PMO, which would use the records to track the documentation across government, which, in turn, would help clarify who has authorized cloud systems.
Editor's note: This article was changed July 30 to correct a mention of the name of the FedRAMP Reform Act.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.