FedRAMP moves toward formal authorization
The FedRAMP Authorization Act cleared the House Feb. 5, authorizing the Federal Risk and Authorization Management Program for another five years at $20 million annually. The bill went to the Senate, where it was referred to the Committee on Homeland Security and Governmental Affairs.
H.R. 3941 would officially establish FedRAMP within the General Services Administration, putting into code the responsibilities and duties of the program's administrator, the Joint Authorization Board (JAB) and the Program Management Office (PMO), which were first described in 2011 by the Office of Management and Budget's memo creating the program to help agencies to adopt cloud services.
The bill includes a section that calls for the PMO to evaluate automation options to improve the way authorities to operate (ATOs) are issued and continuous monitoring is conducted. Within a year of enactment, the bill requires the PMO establish a means for automating security assessments and reviews.
The bill also attempts to streamline the approval process by presuming that an issued ATO is "adequate for use in agency authorizations of cloud computing products and services." It requires a centralized repository that collects and shares data from the JAB, including security authorization packages, so agencies can better reuse those packages.
The Federal Secure Cloud Advisory Committee is another upgrade. The committee is dedicated to examining how the cloud process could be improved for FedRAMP stakeholders and includes representatives from both federal agencies and cloud service providers.
The Congressional Budget Office put the cost of the FedRAMP Authorization Act at $20 million annually between 2020 and 2025 for the operation of the PMO and the JAB, with an additional $3 million over five years for the Federal Secure Cloud Advisory Committee.
Connect with the GCN staff on Twitter @GCNtech.