Two prominent senators are planning to introduce a bill aimed at accelerating cloud adoption throughout the Federal government, according to documents obtained by MeriTalk.
The Cloud Infrastructure Transition Act of 2015, known as the Cloud IT Act, is the work of Sens. Jerry Moran, R-Kan., and Tom Udall, D-N.M. The bill, which is still in draft form, is focused on reforming the Federal Risk and Authorization Management Program (FedRAMP), which has come under fire in recent months for being too costly and time-consuming for commercial cloud service providers to effectively navigate, and lacks transparency and accountability.
Launched in December 2011, the goal of FedRAMP was to standardize the government’s approach to conducting security assessments, authorizations, and continuous monitoring for cloud services. It follows a “do once, use many times” framework that has informed the thinking behind many other Federal IT modernization initiatives. But it has taken some CSPs more than a year and millions of dollars to achieve certification. And at the agency level, CSPs report difficulty getting one agency to accept a FedRAMP certification granted by a different agency.
According to a summary of the bill, the General Services Administration would be given new authorities to “streamline and accelerate” the FedRAMP process. News of the legislation comes just days after GSA Associate Administrator for Citizen Services and Innovative Technologies Phaedra Chrousos announced plans to reduce the amount of time it takes companies to get through the FedRAMP certification process to just three months, down from the current average of 18 to 24 months.
The bill would also establish a public-private liaison group, called the FedRAMP Liaison Group, to facilitate information sharing on best practices between CSPs and the FedRAMP program office. CSPs have complained about the program’s lack of transparency, particularly on things like documentation requirements, and how the program management office prioritizes certification reviews. There is also major confusion surrounding the relative value of pursuing certification through the FedRAMP Joint Authorization Board (JAB) and an agency-specific Authority to Operate (ATO).
Because the FedRAMP program has been unable to meet the high level of demand from CSPs seeking certification, the Cloud IT Act would allow the FedRAMP program to provide agencies accreditation and consulting services on a fee-for-service basis. It would also require performance metrics on the FedRAMP certification process.
The bill would also establish an Information Technology Fund “to help Federal agencies transition to cloud computing services.” The fund would be administered by the Office of Management and Budget (OMB). Any savings realized by agencies from migrating to the cloud would be returned to the fund. Agencies would then be required to specifically identify in their budget requests money they need from the fund for cloud services, operations and maintenance, new investments, and research and development activities. The money placed in this revolving capital fund is available for a period of five years, after which if it is not used it is returned to the Treasury.