Cybersecurity experts say that ‘authorizing FedRAMP is the first step to fully and robustly resourcing the program’ after it was established in 2011
The National Defense Authorization Act for fiscal year 2023 was released on Tuesday night, including key language to codify the Federal Risk and Authorization Management Program, or FedRAMP.
The sweeping annual defense bill features the FedRAMP Authorization Act, which would officially authorize the government-wide cybersecurity certification and risk management program overseen by the General Services Administration. The act is designed to promote the federal implementation of FedRAMP, which aims to provide the government with a standardized certification and assessment process for acquiring secure cloud services.
Trade groups and technology organizations have pushed lawmakers to include language supporting FedRAMP codification in the latest annual defense policy bill after the House passed the authorization act in September. Ross Nodurft, executive director of the Alliance for Digital Innovation and the former head of the Office of Management and Budget's cyber team, told FCW his organization supports the inclusion of the FedRAMP Authorization Act in the NDAA.
"ADI believes that authorizing FedRAMP is the first step to fully and robustly resourcing the program so that it can accredit the many cloud-based technologies the government needs," he said.
The authorization act would establish a board, a public-private cloud advisory committee and additional measures to streamline its use and boost government-wide implementation. The GSA administrator will also be tasked with providing a public online repository with timely guidance and resources for FedRAMP customers.
While the certification program established in 2011 has been credited with accelerating the federal government's transition to the cloud, a lack of funding and additional resources have led to implementation challenges across the government.
The Government Accountability Office found in 2019 that many of the 24 federal agencies it reviewed were continuing to use cloud services that were not authorized through the program, while four major agencies selected for a more thorough review did not report required information around their cloud system's security plans and in security assessment reports.
The Information Technology and Innovation Foundation has also called on Congress to provide FedRAMP with critical funding, writing in a recent report: "Congress and the administration should do more to improve FedRAMP and provide it with the necessary funding to hire more people to review cloud services promptly."
Lena Smart, chief information security officer of the cloud database company MongoDB, told FCW she hopes a forthcoming national cybersecurity strategy will feature "more investment in the FedRAMP program" to "move the 'cloud-first' project forward more quickly.
"The process has to be expedited to enable government agencies to move to the cloud and modernize their digital infrastructure while taking advantage of the security features that it has to offer," she said.