Written by Nihal Krishan
President Joe Biden signed legislation that would change the FedRAMP cybersecurity authorization program for cloud vendors by allowing FedRAMP-authorized tools to be used by any federal agency without additional oversight or verification.
The language from the FedRAMP Authorization Act was included in the National Defense Authorization Act (NDAA) that was enacted on Friday after the FedRAMP bill was hotlined in the Senate earlier this year as part of an effort led by Sen. Gary Peters, D-Mich.
One of the most important aspects of the FedRamp reform language is a “presumption of adequacy” clause, which would allow tools authorized by FedRAMP to be used by any federal agency without further review.
FedRAMP is an important cybersecurity certification that cloud service providers must obtain before working with US government data.
The latest iteration of the Federal Risk and Authorization Management Program (FedRAMP) bill was passed by the House in September after an uphill battle of nearly six years led by Rep. Gerry Connolly, D-Va.
In a statement to FedScoop, Chairman of the Senate Homeland Security and Governmental Affairs Committee, Sen. Gary Peters said the legislation would make it easier for agencies to quickly obtain cloud states and also protect the vast amount of sensitive data that departments hold from cyberattacks.
“By helping federal agencies quickly and securely adopt cloud-based systems, this program will also create good-paying jobs, and encourage cloud companies to develop more effective products ,” Peters said.
Pressure to update FedRAMP has increased amid the federal government’s broad migration to the cloud. The certification program was first established in 2011 to provide a standardized government approach to the authorization of cloud computing services and security assessments.
Federal government IT specialists who helped create and build FedRAMP when it was first formed in 2011 are cheering the changes made in the reform bill.
“I remember sitting in a room with the Federal CIO at the time,” Salesforce Principal Solutions Engineer and former FedRAMP Director at GSA Matt Goodrich wrote in a LinkedIn post.
Goodrich recalled discussions in which Federal CIO Vivek Kundra asked how to verify the security of cloud services, and NIST senior computer scientist Peter Mell suggested that the Department of Defense, the Department of Homeland Security and the General Services Administration both allow them.
“[T]hat was how FedRAMP started… very organic and how do we solve a simple problem,” said Goodrich on the social networking site.
The FedRAMP Authorization Act bill would ensure that FedRAMP has a board to develop and facilitate the program. It will also create a separate cloud advisory committee consisting of five representatives from cloud service companies, two of which must be from smaller cloud vendors.
In addition, the 15-strong advisory committee will also include one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from federal government agencies will also sit on the committee.
Commenting on the legislation’s passage, Hettinger Strategy Group founder and former Staff Director of the House Oversight Government Operations Subcommittee Mike Hettinger said: “This is an important win for the broader federal cloud computing community and I’m glad to see it’s done. this year. Big congratulations to Rep. Connolly, Sen. Peters and their teams for not giving up the fight to pass this important and meaningful cybersecurity reform legislation.”
He added: “Most bills that have been hanging around for 5 years and hit the kinds of hurdles that this bill hit, eventually just die in the tree. Somehow, we made it one across the board. ”