After being excluded from the final version of the National Defense Authorization Act (NDAA), the 117th Congress made the Federal Risk Assessment and Management Program (FedRAMP) Authorization Act one of the first bills passed in the House, approving the measure by voice vote today.
The bill codifies FedRAMP into law and appropriates $20 million annually for the program and its upkeep. The FedRAMP program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products. The authorization bill aims to shore up shortfalls in the program and create more efficiencies in the certification process.
“The current state of cloud adoption in the federal government involves various agency-specific processes, making it complicated for agencies to issue an authorization to operate for cloud services, even when a cloud service provider has already been authorized for use at other agencies,” Rep. Gerry Connolly, D-Va., who introduced the bill, said in a release.
“This bill is essential and will demonstrate a universal commitment to FedRAMP and the accelerated adoption of secure cloud computing technologies, a vital component of the broader federal IT modernization effort,” Connolly said.
The bill passed in the last Congress twice, first by voice vote and later as an amendment to the NDAA. Ultimately, it was left out of the NDAA, making it a priority of Connolly’s to pass the bill early in the 117th Congress. The bill was co-sponsored this time around by Reps. James Comer, R-Ky., and Jody Hice, R-Ga.
“Cybersecurity and technology modernization are both vital issues to ensure the government runs efficiently and effectively. This is even clearer in light of the unprecedented recent cyberattack that compromised both the private and the public sectors critical information systems,” Rep. Gary Palmer, R-Ala., said on the House floor. “Congress must work to further the Federal government’s cybersecurity while moving Federal agencies to more modern technology solutions. FedRAMP is the main federal program on helping agencies secure cloud computing services.”
FedRAMP dates to 2011, but currently does not have a standardized framework for certification. This bill aims to create a “certify once, reuse many times” model and would also establish a Federal Secure Cloud Advisory Committee to ensure dialogue between industry, the General Services Administration, and agency cybersecurity and procurement officials.
