Last Updated on October 25, 2022
The US House of Representatives voted on September 29, 2022, to approve updated legislation that would codify the Federal Risk and Authorization Management (FedRAMP) program into law. The new FedRAMP Authorization Act includes “technical input” from the Biden administration and is intended to reduce redundancies and agency-specific hurdles in the current review/approval process for cloud services in the US government.
Now in its eleventh year of operation by the General Services Administration (GSA), FedRAMP seeks to standardize security assessment, authorization, and continuous monitoring of cloud services across all US federal government agencies. A FedRAMP Authority to Operate (ATO) is required to participate in the massive ($10 billion-plus) government market for cloud services.Proposed FedRAMP changes
If the FedRAMP Authorization Act becomes law, it would institute a number of changes to the current FedRAMP program, including:
- Help drive the use of cloud services that have already received a FedRAMP ATO by mandating that government agencies check a central repository and reuse existing security assessments if possible before conducting their own
- Streamline agency adoption of cloud technology by instantiating a “presumption of adequacy” for solutions that have already achieved FedRAMP certification
- Require the GSA to better automate its processes, which would both accelerate and standardize FedRAMP assessments, and also improve continuous monitoring
- Establish a Federal Secure Cloud Advisory Committee to facilitate ongoing discussion and feedback between agencies, industry and the GSA around acquisition and adoption of cloud services
- Require that members of the FedRAMP Joint Authorization Board (JAB) be technical experts
Senate approval is unlikely
After passing the House, the bill was read twice in the Senate and then referred to the Committee on Homeland Security and Governmental Affairs. According to insiders, the FedRAMP Authorization Act is unlikely to pass the Senate in its current form because of infighting over a different cybersecurity bill.
Ranking committee member Rob Portman (R-Ohio) wants to attach the FedRAMP Authorization Act to another, more controversial bill that would update the Federal Information Security Management Act (FISMA). However, if the FedRAMP Authorization Act does not pass the Senate as a standalone law, it could also be included in the annual “must-pass” National Defense Authorization Act.
What this bill means for cloud service providers
Whether passed as a standalone bill or as part of another bill, the intent of the FedRAMP Authorization Act is to make the evaluation process faster, easier, and more predictable for CSPs as well as the GSA. However, it does not lower the bar for attaining a FedRAMP ATO.
Looking for expert guidance on possibly pursuing a FedRAMP ATO? Pivot Point Security has a 100% success rate bringing clients to a FedRAMP certification. Contact us to start a conversation on your needs and how we can partner with you.