Five Things You Need to Know about Reforms Proposed in the FedRAMP Authorization Act
December 21, 2022 | Lisa Liu
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 by the Office
of Management and Budget (OMB) to standardize a secure and cost-effective approach to cloud adoption
and use by the agencies. In 2012, the General Services Administration (GSA) established the FedRAMP
Program Management Office (PMO) to promote and grow the adoption of these services while
continuously enhancing the framework and associated partnerships.
After a six year-long advocacy championed by Congressman Gerry Connolly (D-Va), the current version
of the reformation was passed by the House on December 8th as a part of the National Defense
Authorization Act for Fiscal Year 2023 (FY2023 NDAA). A copy of the bill can be found here.
- It formalizes GSA's FedRAMP authority and laser focuses efforts on efficiencies.
into law, the FedRAMP Authorization Act provides statutory authority to GSA to detail
requirements necessary to specify and enforce the legislation in order to: (A) improve the speed
of secure authorizations for new products and services; (B) enhance agencies' abilities to
evaluate established authorized providers for reuse; (C) reduce costs and burdens for new cloud
providers seeking authorizations; and (D) drive stronger adoption of secure cloud capabilities
and reduce wasteful legacy IT through more transparent collaborations.
- It establishes the Federal Secure Cloud Advisory Committee and FedRAMP Board to drive
The Committee will be established to provide oversight and coordination for
agencies leveraging FedRAMP - including providing advice and recommendations related to
technical, financial, programmatic, and operational matters regarding the adoption. With no more
than 15 members, its composition include at least one (1) independent assessment service
representative and five (5) business representatives providing cloud computing services or
products (two of which must be small businesses). The Board is expected to provide inputs and
recommendations regarding requirements, guidelines, and prioritization of assessments for cloud
product and services and include no more than seven (7) agency senior officials or experts in
the areas of cloud computing/cybersecurity/privacy/risk management, including the Director's
appointments from the Department of Defense, Department of Homeland Security, and GSA.
- It outlines GSA's role and expected responsibilities in FedRAMP improvements.
GSA is expected to establish or improve the program to include:
- (1, 2) processes to streamline agency's ability to review and reuse assessments;
- (3) templates, best practices, and resources to improve effectiveness and speed of
- (4) formal guidance on boundaries for authorization package to improve transparency of
- (5) authorizations granted;
- (6) public dialogue capability;
- (7) coordination between the FedRAMP Board, Cybersecurity and Infrastructure Security
Agency (CISA), and any other entities to support a continuous monitoring framework;
- (8) secure information sharing mechanism to enable better package reuse;
- (9) communications and updates to cloud service providers (CSPs) throughout the process;
- (10) review cadence of foreign interest information and costs related to independence
- (11) determine sufficiency of underlying standards and requirements for the assessment
framework in coordination with National Institute of Standards and Technology (NIST) and
- (12, 13) support the Federal Secure Cloud Advisory Commitment and other actions deemed
- It requires agency actions to actively reduce duplication and maximize reusability.
Agency heads will also be required to promote the use of FedRAMP authorized cloud products and
services, maximize reuse of authorization materials (e.g.: security control assessments), and
report agency performance against annual metrics. This will include requiring review of
authorized technologies using a central repository before initiating new requests.
- It timeboxes a deadline on efficacy improvements for both the program and the authorization
Within a year of law enactment, GSA will be required to automate security
assessment and reviews. GSA must also establish annual metrics on assessment duration and
quality in a way that minimize agency reporting burden.
FedRAMP's goals are to enable and accelerate the federal government in cloud adoption through
transparent standards and processes while eliminating duplicative efforts using a common security
framework. The reform contained with FY2023 NDAA ensures investments are dedicated to building upon
FedRAMP improvements sustained in the past decade and truly scale the program for government-wide