Democratic and Republican leaders of the House Subcommittee on Government Reform today previewed their bipartisan effort to create legislation that would codify into law the FedRAMP (Federal Risk Assessment and Management Program) program that standardizes security requirements of cloud services used by the government, and make the FedRAMP program operate more efficiently.
Rep. Gerry Connolly, D-Va., chairman of the subcommittee, and Rep. Mark Meadows, R-N.C., the panel’s ranking member, displayed an obvious unity of purpose at a subcommittee hearing today to talk about how they are developing the legislation, and why that effort is necessary. Both have experience in legislating around Federal government IT issues, and both said they want to make FedRAMP work better so that agencies can more easily adopt secure cloud service offerings.
On the first aim of the coming legislation, Rep. Connolly said that FedRAMP was “created administratively,” and as such “can be eviscerated tomorrow morning.” Codifying FedRAMP into law “gives you some predictability” that the program will continue, and also allows lawmakers to exercise more oversight.
On the second aim of the legislation, both congressmen agreed they want FedRAMP to function more efficiently in order to foster quicker approvals for cloud services offered by the private sector, and for Federal agencies to be able to take advantage of wider range of approved services.
Rep. Connolly expressed frustration that service providers have faced higher than expected costs and longer approval waits to obtain FedRAMP authorizations, and that Federal agencies have been slow to provide reciprocal authorizations for services that have already been cleared for use elsewhere in the government.
“What was supposed to be a six-month process costing $250,000, instead could take years and cost a company millions of dollars,” he said of the approval process for service providers.
Citing the Trump Administration’s Cloud Smart strategy released in June, Connolly said the strategy acknowledges improvements by the FedRAMP program management office that have “drastically” cut the time taken to authorize service providers. But, he said, “the policy also notes that there is still a lack of reciprocity across agencies in adopting FedRAMP authorizations, which has led to significant duplication of effort when assessing the security of a cloud service offering.”
“The policy also notes that a large number of agency-specific processes has made it complicated for agencies to issue an authorization to operate for cloud services, even when a cloud service provider has already been authorized at other agencies,” he said.
“The federal government must do better when it comes to acquiring cloud computing technologies,” Connolly emphasized, adding, “we cannot leverage the potential of cloud computing if the processes are slower than the speed at which the technology advances.”
Rep. Meadows said the legislation under development aims to remove “some of the stumbling blocks” to cloud service approval and adoption.
“The frustration for me is that the Federal government spends $100 billion per year on IT, but is so lagging behind the private sector,” he said, adding, “I can have cloud computing in a secure environment much quicker than Federal agencies.”
“The Chairman has said it’s time to reach for the clouds” on FedRAMP improvements, Meadows said. “I think it’s time we ramp it up.”
The latest effort on FedRAMP legislation is not the first for either of the subcommittee leaders, with last year’s bill aimed at codifying the program and enabling wider agency reuse of existing authorizations to operate.
“We are working on legislation this year that would maintain those two objectives while also helping to improve the program by increasing the use of automation and providing for more transparency, all while continuing to ensure that cloud computing services are secure for use by federal agencies,” Rep. Connolly said.
“The bill establishes a presumption of adequacy for those security assessments that have been FedRAMP certified to increase agency reuse of authorizations. It requires FedRAMP to establish and make public metrics on the length and quality of assessments and report progress towards meeting those metrics to Congress. It calls on FedRAMP to find ways to automate their process to increase the efficiency of security assessments,” he said.
Testifying as a witness at today’s hearing, Anil Cheriyan, Director of the General Services Administration’s Technology Transformation Services organization, said he believes the FedRAMP program “is turning a corner and is on a path to success.” While program processes have improved as they have evolved since FedRAMP was established in 2011, “there is still an opportunity to improve FedRAMP performance,” he said.
Numerous improvements have been implemented based on private sector feedback, he said, and the program is doing more to reach out to service providers through industry forums and other means, streamline processes and workflows, and expand industry and agency training.
Recalling FedRAMP’s early days, Rep. Connolly recalled a discussion led by MeriTalk founder Steven O’Keeffe during which he polled a roomful of government and industry officials about the program’s efficiency. The result: all of the Federal officials thought it was going well, and none of the industry officials agreed.
“I looked at that and said to myself, ‘we are disconnected from our client base,’” Rep. Connolly said today. “It just etched in my mind that we have a problem. We were reluctant to address it with legislation … We hoped it would happen administratively.”
The congressman also held out the possibility that the FedRAMP program can get a funding boost through the legislation under development if that would help improve program efficiency. “We are certainly willing to look at that,” he said.