New bill bakes FedRAMP into law

cloud analysis (istorsvetlana/ 

Citing anemic agency interest, duplicative processes and scattershot implementation metrics, Rep. Gerry Connolly (D-Va.) introduced a bill that would reform the Federal Risk and Authorization Management Program, clarifying agency roles, compliance and implementation processes.

Connolly, vice ranking member of the House Committee on Oversight and Government Reform, introduced the FedRAMP Reform Act of 2018 on July 26.

"Despite its best efforts, the Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers," Connolly said in a statement. "The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program, and provides FedRAMP customers with the certainty and process reforms they have long sought."

The FedRAMP process, aimed at helping speed federal agency cloud adoption by standardizing cloud providers' security assessments, has drawn criticism from Connolly and others since it was established in 2012 because the roles and responsibilities of vendors and their sponsoring agencies can be confusing. Providers have also complained that the process is expensive and time consuming.

Connolly's legislation is designed to codify the FedRAMP process and  define roles and responsibilities of both federal agencies as well as third-party assessment organizations.

The bill would formally set the Office of Management and Budget as the responsible entity for issuing guidance to federal agencies to implement FedRAMP principles, while the General Services Administration, and the FedRAMP Program Management Office within that agency, would be responsible for day-to-day implementation of FedRAMP. It would issue guidance and templates to cloud service providers and third-party assessment organizations that facilitate the FedRAMP authorization process.

OMB would be required to ensure agencies comply with FedRAMP. The bill would also set formal metrics for the FedRAMP PMO that track the time, cost and quality of the assessments necessary for authorization.

It would also require OMB and GSA to submit an annual status and performance report to Congress for the FedRAMP PMO.  The PMO would also have to continuously evaluate automation procedures that could potentially speed the process.

Agencies would be required to report their authorities to operate to the PMO, which would use the records to track the documentation across government, which, in turn, would help clarify who has authorized cloud systems.

Editor's note: This article was changed July 30 to correct a mention of the name of the FedRAMP Reform Act.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.