Critical FedRAMP legislation passed by the U.S. House of Representatives
Infor applauds the passage of the FedRAMP Authorization Act, H.R. 3941 last week by the U.S. House of Representatives. The House has taken a major step forward to extend the reach of the Federal Risk and Authorization Management Program (FedRAMP) and secure its funding with the February 7 adoption of a bill co-sponsored by Reps. Gerry Connolly (D-VA) and Mark Meadows (R-NC).
“This is a critical piece of legislation that will drive innovation and modernization as governments throughout the nation transition to the cloud,” said Bill St. John, VP and GM of Public Sector North America, Infor, in a December letter to the committee supporting the bill’s progress.
FedRAMP is well established as the federal government’s common standard for cloud security assessment, authorization, and continuous monitoring, and is seeing growing interest from state and local agencies as well as commercial enterprises. Its growing importance and prominence made last week’s vote an important milestone for FedRAMP-authorized cloud service providers, and for the agencies and electronic transactions that depend on them every day.
“Perhaps the greatest business benefit for FedRAMP cloud migration is the requirement to develop and follow clear processes, applying standardized metrics, and ensuring that appropriate mitigation strategies are in place,” St. John added. “Ensuring that duties and responsibilities are assigned in case of a breach or loss of service—and that protocols are in place for recovery and response—improves public and executive confidence in IT system security.”
Infor is a leader in authorizing its platforms and solutions through FedRAMP to meet the highest standards of security for the Federal Government. Currently, 18 Infor solutions are FedRAMP-authorized, while 5 more are in the process of becoming authorized.
Codifying, Extending, and Funding FedRAMP
The U.S. Office of Management and Budget (OMB) introduced FedRAMP in 2011, Fedscoop recalls. “But the Government Accountability Office found this past December that 15 of 24 Chief Financial Officers Act agencies didn’t always use FedRAMP, and OMB didn’t ‘effectively monitor’ their compliance.”
That finding reinforced Connolly’s floor statement that “there is still a lack of reciprocity across agencies in taking advantage of FedRAMP-authorized products.” He added that “without reciprocity, agencies end up duplicating the assessment process of cloud service offerings, leading to inefficiencies for both the federal government and cloud service providers.”
But now, if it is passed by the Senate and then signed into law, MeriTalk says H.R. 3941 will:
- Codify FedRAMP in U.S. law;
- Establish a presumption of adequacy for cloud services that have received FedRAMP authorization;
- Encourage further automation of the FedRAMP authorization process;
- Establish a Federal Secure Cloud Advisory Committee (FSCAC);
- Require the OMB to ensure that all federal agencies obtain cloud service authorizations through the program;
- Relocate the FedRAMP project management office (PMO) within the U.S. General Services Administration; and
- Allocate up to $20 million per year to support the FedRAMP PMO and Joint Authorization Board (JAB).
Digging Into the Details
Fedscoop describes legislative requirements that dig down beyond general principles, getting into systems and structures that will build on FedRAMP’s already impressive record of achievement. It will require the FedRAMP PMO and JAB “to develop metrics around time and quality of security assessments,” with OMB mandated to “track those metrics over time and report progress annually to Congress,” the online publication states.
As well, the 15-member FSCAC will “coordinate the acquisition of cloud products”, with a membership roster that “includes cybersecurity and procurement officials from the General Services Administration, CFO Act agencies and industry.”
That latter provision landed well with the Alliance for Digital Innovation, which welcomed the committee as “a transparent, accountable body of experts from government and industry that will provide recommendations to the administrator of GSA and federal agencies on how to improve FedRAMP and agency cloud authorizations.”
Meanwhile, FedRAMP Director Ashley Mahan told Nextgov that automation will be a central focus for the program over the next year. “The hope is, by the end of this year, we have, largely, the entire authorization package in this machine-readable format,” she said. “We believe that will set that foundation for future automation efforts.”
To learn more about Infor’s Government SaaS offering, with integrated FedRAMP-compliant applications and platforms, read the brochure.
For a discussion of the business benefits of FedRAMP that go beyond compliance, download the white paper.