December 11, 2019
The Honorable Gerald E. Connolly
Chairman Committee on Oversight and Reform
Subcommittee on Government Operations
U.S. House of Representatives
2238 Rayburn House Office Building
Washington, DC 20515
Dear Congressman Connolly:
The Alliance for Digital Innovation (ADI) is a non-profit coalition of innovative, commercial companies whose mission is to bring IT modernization and emerging technologies to government. ADI engages with government thought leaders to share emerging commercial technologies and to advocate for the removal of institutional and bureaucratic barriers to the operation of a modern digital government.
On behalf of our members, I would like to again congratulate you on recognizing the importance of appropriate codification, oversight, and continuous improvement of the Federal Risk and Authorization Management Program (FedRAMP). On October 18th, 2019, ADI provided a letter of support to your office on H.R. 3941 as introduced. Since then, both you and your staff have actively engaged interested parties, including ADI, and have been receptive to the input of our member companies on how the legislation can be further improved to meet the outcomes you articulated upon introduction.
There is widespread agreement in the technology sector and in government that the FedRAMP Program, which was established in 2011 to provide a standardized approach to security and risk assessment of government cloud- based systems, is in need of an upgrade. We believe your legislation will significantly improve the program. On our website, ADI publicly highlighted the following provisions which we think will have the most meaningful, positive impacts on both industry and Federal agencies:
- codifying the program in federal law, giving innovative companies the market and accreditation certainty necessary for long-term commitments to the federal market;
- authorizing adequate resources ($25 million per year), which is an essential element in increasing program office capacity and velocity; together with trackable metrics, this will reduce both the time and costs associated with the authorization process;
- providing a standard set of security controls and a governmentwide “presumption of adequacy” for reciprocity of FedRAMP authorization;
- requiring the FedRAMP Program Management Office (PMO) to assess and evaluate available automation procedures to accelerate processing of FedRAMP applications, and establish a one-year timeline to automate FedRAMP security assessments and reviews, which will improve reporting, streamline the assessment process, eliminate human error, and in general free up time for agencies to focus on the actual security of their systems; and
- creating the Federal Secure Cloud Advisory Committee to open a consistent dialogue between agency officials and the private sector, enabling the government faster access to commercial innovation.
These reforms will streamline and enhance the government’s access to new technologies, reinforce cybersecurity, strengthen compliance with the Office of Management and Budget’s Cloud Smart strategy, and promote transparency in a more efficient and effective manner. Codifying this critical accreditation process and placing the FedRAMP program on a sustainable basis are critical to modernizing federal government IT and reinforcing our national security.
ADI strongly supports this legislation and urges its swift enactment by Congress. Should you have any further questions or if ADI can further assist, please feel free to contact me at (202) 207-1120.
Matthew T. Cornelius
Alliance for Digital Innovation