January 21, 2022

Last Updated on January 19, 2024

A bipartisan bill introduced in November 2021 seeks to strengthen and streamline the FedRAMP program for securing cloud services to the US federal government. The Federal Secure Cloud Improvement and Jobs Act of 2021, which has moved past the Senate Homeland Security and Governmental Affairs Committee for a vote by the full Senate, would codify FedRAMP as a legal statute, thus giving the General Services Administration (GSA) and its Office of Management and Budget (OMB) new enforcement powers. The bill would also fund FedRAMP at $20 million annually.

The Federal Secure Cloud Improvement and Jobs Act is similar in content and intent to a bill called the FedRAMP Authorization Act, which the House of Representatives passed in January and included in its version of the National Defense Authorization Act for 2022.

 

Changes Proposed in the Bill

The current bill proposes multiple changes to how FedRamp works currently. These include:

  • Creation of a new Federal Secure Cloud Advisory Committee, a public/private partnership intended to offer feedback on FedRAMP’s operation.
  • A range of tweaks recommended by the GAO and GSA inspector general to continue to streamline and accelerate FedRAMP processes, given the ever-escalating demand for cloud services across government and the proliferation of innovative cloud solutions. For example, the bill calls for the FedRAMP Program Management Office (PMO) to develop and track metrics on the efficiency and quality of its assessments.

More Proposed Changes

Various stakeholders are using the political process to voice concerns about the program’s operation that they hope this bill can correct. In particular:

  • Ranking Member Rob Portman (R-Ohio) has expressed concern that allowing FedRAMP ATO candidates to select the 3PAO to audit their systems is “a potential conflict of interest.” (If so, it’s one that pervades our industry, since this audit model is nearly universal.)
  • Others are calling for as-yet-unspecified changes that would make the current FedRAMP program more effective against Advanced Persistent Threats (APTs) targeting government cloud systems.
  • A further worry is a lack of “supply chain transparency” around how much of a service provider’s code was written overseas, and where. Given the universal use of APIs and open-source code in general, this could prove challenging to implement.

Countering these recommendations is the view that making FedRAMP too prescriptive could put an ATO out of reach of SMBs, plus create resistance that could slow the response to emerging threats.

Meanwhile, the Biden administration blessed the FedRAMP program, crediting it as a vehicle to “meaningfully raise the bar for federal cybersecurity in the modern era.”

What’s Next?

Looking for support to “read the tea leaves” on FedRAMP’s evolution, how it could impact your business, and how to proactively position your firm for success, contact Pivot Point Security to connect with a FedRAMP expert on our team.