Legislating Security: The FedRAMP Reform Act of 2018
Published: August 01, 2018
The legislation of FedRAMP adoption is coming.
News came out at the end of July that Rep. Gerry Connolly (D-Va.) recently introduced a bill in the House called the FedRAMP Reform Act of 2018. If passed, the Act would require federal agencies to adopt and implement FedRAMP processes according to guidance put out by the Office of Management and Budget. Agencies would work closely with the General Services Administration’s FedRAMP Program Management Office to implement those processes through the use of program templates provided to cloud service providers and third-party assessment organizations which authorize FedRAMP approved solutions. The OMB would provide oversight to ensure that agencies are following the guidance and are consistently adopting FedRAMP approved cloud services.
Behind Rep. Connolly’s proposal is a belief that FedRAMP “continues to suffer from a lack of agency buy in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers.” His bill calls for a set of formal metrics that the FedRAMP PMO can use to “track the time, cost, and quality of the assessments necessary for authorization.”
The move to legislate agency FedRAMP use got me thinking about a couple of things. First, why do agencies migrate to the cloud in the first place? Cloud solutions can save agencies money and provide better security, but the primary reason for adoption is probably to solve a business need. Cloud-based solutions for everything from human resources management to Voice over IP must provide agencies with some benefit that they haven’t realized up to this point. In some cases this means that agencies adopt commercial solutions which haven’t received FedRAMP certification. Rep. Connolly’s bill strives to make it cheaper and easier for companies to get their solutions approved, which is a very good idea, but it will take time for the templates and guidance to be developed even after the process of getting the legislation passed is complete. What is a realistic timeframe for the legislation to pass and have an impact? My guess is one or two years, during which the FedRAMP program will have authorized dozens more commercial solutions (90 solutions are currently in the approval process or pending approval, according to FedRAMP.gov).
Then there is the claim about agencies slow-rolling the adoption of FedRAMP approved solutions. Is this accurate? The data shows that agency procurement of FedRAMP-certified solutions has accelerated significantly in recent years, nearly tripling from fiscal 2016 to fiscal 2017 alone. In percentage terms that is growth of 172%. From fiscal 2015 to fiscal 2017 the leap is even higher, amounting to 291% growth.
Vendors should expect this kind of adoption to continue, even in the absence of legislation mandating it. Simplifying and expediting the approval process is a worthy goal and Rep. Connolly’s bill will drive it so the writing is on the wall. More than ever vendors will need FedRAMP approval to compete in the federal marketplace.