Skip to Content

House Passes Connolly FedRAMP Legislation

First bill to pass 117th Congress

 In one of its first actions of the 117th Congress, today the House of Representatives passed Representative Gerald E. Connolly’s Federal Risk and Authorization Management Program (FedRAMP) Authorization Act. The bipartisan legislation was cosponsored by Representatives James Comer (R-KY) and Jody Hice (R-GA). The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2021 would codify the existing FedRAMP Program at the General Services Administration (GSA). 

 

“FedRAMP was established in 2011 to provide a standardized government-wide approach to security assessment, authorization, and continuous monitoring of cloud computing services. The program reduces the redundancies of federal cloud migration for both the federal government and for cloud service providers,” Connolly said. “Unfortunately, the current state of cloud adoption in the federal government involves various agency-specific processes, making it complicated for agencies to issue an authorization to operate for cloud services, even when a cloud service provider has already been authorized for use at other agencies.”

“For nearly four years, I have worked with the Office of Management and Budget, GSA, industry stakeholders, and my friends on the other side of the aisle to ensure that the bill makes needed improvements to the FedRAMP program, and also gives the program flexibility to grow and adopt to myriad future changes in cloud technologies. This bill is essential and will demonstrate a universal commitment to FedRAMP and the accelerated adoption of secure cloud computing technologies, a vital component of the broader federal IT modernization effort,” Connolly added. 

FedRAMP is a standardized approach to certifying and assessing in an ongoing manner the security of cloud computing technologies used across the federal government. It seeks to reduce the redundancies of federal cloud migration by creating a “certify once, reuse many times” model for cloud products and services that provide a cost-effective, risk-based approach to cloud adoption. In the first four years of FedRAMP, the program authorized only 20 cloud products. Today, there are 211 FedRAMP Authorized cloud products that federal agencies can use and more than 240 Cloud Service Providers participating in FedRAMP, 30% of which are small businesses. In fiscal year 2020, FedRAMP saw a 50% increase in agencies reusing authorized cloud products.

The  FedRAMP Authorization Act would:

  • Codify the program and address many of the concerns raised by government and industry stakeholders.
  • Reduce duplication of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification.
  • Facilitate agency reuse of cloud technologies that have already received an authorization-to-operate by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own.
  • Require that GSA work toward automating their processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increase the efficiency for both providers and agencies.
  • Establish a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the federal government.
  • Authorize $20 million in annual appropriations for the program, providing sufficient resources to increase the number of secure cloud technologies available for agency adoption.

Connolly’s bill passed the House with bipartisan support twice in the 116th Congress.  Once under suspension by voice vote and again as an amendment to the House National Defense Authorization Act for FY2021.

Text of the legislation is available here.

Back to top