Rep. Gerry Connolly, D-Va., has introduced a bill that would reform the government’s process for authorizing commercial cloud products and services through the Federal Risk and Authorization Management Program.
Connolly’s office said Friday FedRAMP Reform Act of 2018 would also institute agency compliance measures and create new metrics to properly implement such measures.
He noted the bill seeks to clarify the responsibilities of federal and industry stakeholders, establish a process for Congress to evaluate the program’s progress and provide certainty to customers.
Established five years ago, FedRAMP offers a uniform approach for the government to assess, authorize and monitor cloud offerings.
The legislation seeks to reform this process through six steps. First, it would codify FedRAMP by identifying the responsibilities of each federal agency involved with the program.
The Office of Management and Budget will issue guidance to implement FedRAMP principles while the General Services Administration will be in charge of the actual implementation of FedRAMP principles.
Second, OMB will be tasked with ensuring that agencies are in compliance with any requirements related to FedRAMP.
Third, to monitor if FedRAMP is being properly implemented, the FedRAMP Management Office under the GSA will be required to craft metrics concerning time, cost and quality of the assessments. Also, OMB and GSA will be tasked to submit a yearly report to Congress on the status and performance of the FedRAMP PMO.
Fourth, the FedRAMP PMO would be required to automate its procedures.
Fifth, to fast-track certification processes, a Joint Authorization Board’s issuance of an authorization to operate shall be deemed valid.
Finally, for transparency purposes, when an agency issues an ATO, it is required to furnish a copy of said ATO with the FedRAMP PMO.