Senate inches closer to FedRAMP legislation

Federal officials met with lawmakers on the Senate Homeland Security and Governmental Affairs Committee on Tuesday to discuss deficiencies within the General Services Administration’s Federal Risk and Authorization Management Program, or FedRAMP, ahead of an upcoming vote to codify the program agencies use to adopt cloud services.

Committee Chairman Sen. Gary Peters (D-Mich.), cosponsor of a bipartisan bill called the Federal Secure Cloud Improvement and Jobs Act of 2021, convened the meeting to hear from officials and vendors for possible tweaks to the legislation.

The bill, similar to bipartisan legislation that passed in the House of Representatives, would codify the FedRAMP program and establish the Federal Secure Cloud Advisory Committee to measure the effectiveness of the program, particularly when it comes to reuse of FedRAMP authorizations. The measure also authorizes $20 million for FedRAMP operations annually.

Sen. Rob Portman (R-Ohio), the ranking member on the committee, said the current program “has weaknesses in it” that “have left it vulnerable to foreign-backed hackers targeting cloud systems,” including countries like Russia and China.

“Right now, we do not have sufficient safeguards in place to identify and prevent foreign interference in our cloud systems,” Portman said, adding: “I believe that must change before we codify this program.”

Recent reports have warned the program is "no longer optimized for modern security solutions" and ill-equipped to work well in environments with IoT devices and other emerging technologies, while calling on the government to redefine federal IT risk management.

Portman expressed concerns about potential conflicts of interest around the commercial third party assessment organizations (3PAOs) that report on whether cloud providers are meeting security standards to FedRAMP officials -- a key step in the government's approach to make risk-based decisions to authorizing certain cloud services. Portman said that he felt a security determination was something categorically different from other kinds of third-party audits.

“This is about security, it’s not about auditing your books, it’s about ensuring that we don’t have the terrible situation that could occur where you have a lack of security in the cloud services that the federal government and we taxpayers all rely on,” he said. “It’s a different sort of assessment than what Deloitte might do in terms of...an audit.”

David Shive, the GSA's CIO and a FedRAMP board member, urged lawmakers to include language which allows the program to grow amid increased cyber threats and unforeseen circumstances.

While Shive said FedRAMP has "done a good job" evolving with the cybersecurity threat, he noted how the needs of cloud service providers and their customers have changed over time, and said there must be "agility built into any legislation" to address those concerns.