December 21, 2022
Five Things You Need to Know about Reforms Proposed in the FedRAMP Authorization Act

Author: Lisa Liu

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 by the Office of Management and Budget (OMB) to standardize a secure and cost-effective approach to cloud adoption and use by the agencies. In 2012, the General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) to promote and grow the adoption of these services while continuously enhancing the framework and associated partnerships.

After a six year-long advocacy championed by Congressman Gerry Connolly (D-Va), the current version of the reformation was passed by the House on December 8th as a part of the National Defense Authorization Act for Fiscal Year 2023 (FY2023 NDAA). A copy of the bill can be found here.

1. It formalizes GSA's FedRAMP authority and laser focuses efforts on efficiencies.
   Once passed into law, the FedRAMP Authorization Act provides statutory authority to GSA to detail requirements necessary to specify and enforce the legislation in order to: (A) improve the speed of secure authorizations for new products and services; (B) enhance agencies' abilities to evaluate established authorized providers for reuse; (C) reduce costs and burdens for new cloud providers seeking authorizations; and (D) drive stronger adoption of secure cloud capabilities and reduce wasteful legacy IT through more transparent collaborations.
2. It establishes the Federal Secure Cloud Advisory Committee and FedRAMP Board to drive transparency.
   The Committee will be established to provide oversight and coordination for agencies leveraging FedRAMP - including providing advice and recommendations related to technical, financial, programmatic, and operational matters regarding the adoption. With no more than 15 members, its composition include at least one (1) independent assessment service representative and five (5) business representatives providing cloud computing services or products (two of which must be small businesses). The Board is expected to provide inputs and recommendations regarding requirements, guidelines, and prioritization of assessments for cloud product and services and include no more than seven (7) agency senior officials or experts in the areas of cloud computing/cybersecurity/privacy/risk management, including the Director's appointments from the Department of Defense, Department of Homeland Security, and GSA.

3. It outlines GSA's role and expected responsibilities in FedRAMP improvements.
   GSA is expected to establish or improve the program to include:
   • (1, 2) processes to streamline agency's ability to review and reuse assessments;
   • (3) templates, best practices, and resources to improve effectiveness and speed of authorizations;
   • (4) formal guidance on boundaries for authorization package to improve transparency of services scope;
   • (5) authorizations granted;
   • (6) public dialogue capability;
   • (7) coordination between the FedRAMP Board, Cybersecurity and Infrastructure Security Agency (CISA), and any other entities to support a continuous monitoring framework;
   • (8) secure information sharing mechanism to enable better package reuse;
   • (9) communications and updates to cloud service providers (CSPs) throughout the process;
   • (10) review cadence of foreign interest information and costs related to independence assessment services;
   • (11) determine sufficiency of underlying standards and requirements for the assessment framework in coordination with National Institute of Standards and Technology (NIST) and other stakeholders;
   • (12, 13) support the Federal Secure Cloud Advisory Commitment and other actions deemed necessary
4. It requires agency actions to actively reduce duplication and maximize reusability.
   Agency heads will also be required to promote the use of FedRAMP authorized cloud products and services, maximize reuse of authorization materials (e.g.: security control assessments), and report agency performance against annual metrics. This will include requiring review of authorized technologies using a central repository before initiating new requests.
5. It timeboxes a deadline on efficacy improvements for both the program and the authorization process itself.
   Within a year of law enactment, GSA will be required to automate security assessment and reviews. GSA must also establish annual metrics on assessment duration and quality in a way that minimize agency reporting burden.

FedRAMP's goals are to enable and accelerate the federal government in cloud adoption through transparent standards and processes while eliminating duplicative efforts using a common security framework. The reform contained with FY2023 NDAA ensures investments are dedicated to building upon FedRAMP improvements sustained in the past decade and truly scale the program for government-wide readiness.