There is widespread agreement in the technology sector and in government that the Federal Risk and Authorization Management Program (FedRAMP), which was established in 2011 to provide a standardized approach to security and risk assessment of government cloud-based systems, is in need of an upgrade.
According to GSA, FedRAMP “provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” But a number of issues have prevented the program from achieving its full potential. That’s why ADI was heartened to see Reps. Gerry Connolly and Mark Meadows introduce a bi-partisan bill, the FedRAMP Authorization Act (H.R. 3941), to address these challenges and improve this critical government accreditation process.
What are some of the FedRAMP program’s challenges? First and foremost have been the high cost and time-consuming process cloud service providers have faced to receive authorization to operate (ATO), and the failure of agencies to provide reciprocity for authorizations issued by other government agencies. Further, because FedRAMP was created by the executive branch and not by congressional action, OMB could cancel the program on its own accord, which creates uncertainty for the private sector.
The ADI Board of Directors discussed the need for FedRAMP reform with Rep. Connolly earlier this year. After the bill’s introduction this summer, ADI member company representatives met with his professional staff to share feedback on its provisions and to voice support for the legislation.
The Connolly/Meadows bill would improve FedRAMP by:
- codifying the program in federal law, giving innovative companies the market and accreditation certainty necessary for long-term commitments to the federal market;
- authorizing adequate resources ($25 million per year), which is long overdue and an essential element in increasing program office capacity and velocity; together with trackable metrics, this will reduce both the time and costs associated with the authorization process;
- providing a standard set of security controls and a governmentwide “presumption of adequacy” for reciprocity of FedRAMP ATO;
- requiring the FedRAMP Program Management Office (PMO) to assess and evaluate available automation procedures to accelerate processing of FedRAMP applications, and establish a one-year timeline to automate FedRAMP security assessments and reviews; this will improve reporting, streamline the assessment process, eliminate human error, and in general free up time for agencies to focus on the actual security of their systems; and
- creating a Federal Secure Cloud Advisory Committee to open a consistent dialogue between agency officials and the private sector, enabling the government faster access to commercial innovations.
These reforms will streamline and enhance the government’s access to new technologies, reinforce cybersecurity, comply with Cloud Smart, and promote transparency in a more efficient and effective manner. Codifying this critical accreditation process and placing the FedRAMP program on a sustainable basis are critical to modernizing federal government IT and reinforcing our national security. ADI strongly supports this legislation and urges its swift enactment by Congress.