ITIF Report: Congress, Administration Should Take Additional Steps to Improve FedRAMP

ITIF Report: Congress, Administration Should Take Additional Steps to Improve FedRAMP
FedRAMP

An Information Technology and Innovation Foundation (ITIF) report says the Joint Authorization Board and the program management office for the Federal Risk and Authorization Management Program (FedRAMP) should require agencies to designate a FedRAMP liaison and conduct pilot programs to identify ways how to streamline the program to facilitate reviews and authorization of cloud services.

Congress should also pass a bill that would provide FedRAMP with needed funds to employ more professionals to help accelerate assessments of cloud offerings, ITIF said in the report published Monday.

“Without the necessary changes and funding, the program risks helping, but also hindering, federal agencies to adopt cloud services,” Michael McLaughlin, a research analyst at Washington, D.C.-based public policy think tank ITIF, wrote in the report.

The House passed in February a bill that would codify FedRAMP. ITIF called on Congress to make some changes to the proposed FedRAMP Authorization Act to increase the security and availability of cloud platforms for use by federal agencies.

These are expanding the JAB, hiring technical professionals within the PMO to develop automation tools and other platforms, broadening the number of authorization metrics tracked, requiring the JAB and agencies to offer authorization packages to the National Institute of Standards and Technology (NIST) and increasing reuse of authorizations by requiring agencies to secure exemptions.

Check Also

Cybersecurity Strategy

Updated CISA Federal Cybersecurity Strategy Directs Improved CDM Scores Through FY 2021

The Cybersecurity and Infrastructure Security Agency (CISA) has released an update to its action plan for strengthening federal cybersecurity in fiscal years 2020 through 2021. The initiative was led by Matthew Travis, the deputy director of CISA. CISA also cited evolving threat landscapes and limitations in cloud, network and encryption capabilities as challenges.