Skip to Content

Connolly Introduces FedRAMP Reform Act of 2018

Connolly Introduces FedRAMP Reform Act of 2018

Today, Congressman Gerry Connolly (D-VA), Vice Ranking Member of the House Committee on Oversight and Government Reform, introduced the Federal Risk and Authorization Management Program Reform (FedRAMP) Act of 2018. The legislation would streamline the current FedRamp process, address agency compliance issues, and establish new metrics for proper implementation.

“Despite its best efforts, the Federal Risk and Authorization Management Program (FedRAMP) continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Connolly said. “The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program, and provides FedRAMP customers with the certainty and process reforms they have long sought.

FedRamp was developed to provide a government-wide program that would offer a standardized approach to security assessment, authorization, and monitoring for cloud products and services and bring the federal government into the 21st century. Unfortunately, the process has been slow to implement standardized practices and realize efficiencies in the certification process. Connolly’s bill would reform this process.

Specifically, Connolly’s legislation would do six things:

1. Codifies the Federal Risk and Authorization Management Program (FedRAMP) and defines the roles and responsibilities of federal agencies and third party assessment organizations

• The Office of Management and Budget (OMB) is responsible for issuing guidance to federal agencies to implement FedRAMP principles.
• The General Services Administration (GSA) and the FedRAMP Program Management Office (PMO) within GSA are responsible for day-to-day implementation of FedRAMP and issuing guidance and templates to cloud service providers and third party assessment organizations that facilitate the FedRAMP authorization process.
• The Joint Authorization Board (JAB) is responsible for reviewing security assessments and issuing provisional authorizations to operate.
• Third party assessment organizations are responsible for assessing, validating, and attesting to the quality and compliance of security materials provided by cloud service providers.

2. Addresses agency compliance with FedRAMP requirements

• OMB is required to ensure that agencies are in compliance with any guidance or other requirements issued related to FedRAMP.
• As the agency responsible for government-wide information technology policy, OMB is well suited to ensure compliance with all IT related statute and policies, including FedRAMP.

3. Establish metrics that can be tracked to ensure proper implementation of FedRAMP

• The FedRAMP PMO is required to adopt metrics regarding the time, cost, and quality of the assessments necessary for completion of the FedRAMP authorization process in a manner that can be consistently tracked over time.
• OMB and GSA are required to submit an annual report to Congress on the status and performance of the FedRAMP PMO and the description of and progress towards meeting metrics adopted by the Office.

4. Encourages automation to accelerate FedRAMP process

• The FedRAMP PMO is required to continuously evaluate available automation procedures that are available for the implementation of FedRAMP.

5. Improves current FedRAMP process by establishing a presumption of adequacy

• States that any provisional authorization to operate issued by the JAB shall be considered adequate by agencies unless the agency documents its disagreement with the certification.
• This will help eliminate redundant processes such as agencies re-doing security assessments that have been facilitated by third party assessment organizations and certified by the JAB.

6. Require agencies to report their authorizations to operate

• When an agency issues an authorization to operate, it must provide a copy of the ATO to the FedRAMP PMO.
• The FedRAMP PMO is required to track and assess all ATOs on a government-wide basis.
• This will provide OMB and the FedRAMP PMO with visibility into cloud systems in use throughout the federal government. It will also provide agencies with a clearing out of existing ATOs.

Text of the legislation is available here.
Back to top