Provisions in the FedRAMP Authorization Act

Published: October 05, 2022

Federal Market AnalysisCloud ComputingGSADHSInformation TechnologyPolicy and Legislation

Continuous monitoring looms large in a codified FedRAMP program.

The inability of Congress to do its job and pass legislation on its own has in recent years led to the packaging of standalone bills into the annual National Defense Authorization Act (NDAA). The Federal Risk and Authorization Management Program (FedRAMP) Authorization Act is one of those pieces of standalone legislation which finds itself listed instead as Section 5911 in the NDAA for fiscal year 2023. Enacting the FY 2023 NDAA will enshrine the General Service Administration’s FedRAMP program into law, providing it with more predictable funding.

Specifically, the Act establishes the following roles and responsibilities for the GSA:

  • Implement a process to support agency review, reuse, and standardization of security assessments of cloud computing products and services, including oversight of continuous monitoring.
  • Establish processes and identify criteria to make a cloud computing product or service eligible for a FedRAMP authorization.
  • Publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process.
  • Establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization.
  • Grant FedRAMP authorizations to cloud products and services consistent with the guidance and direction of the FedRAMP Board.
  • Establish a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance.
  • Coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency to establish and regularly update a framework for continuous monitoring.
  • Provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies.
  • Provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process.

Security Focused

Much of section 5911’s language concerns program practices that are already in place. There appears to be some movement, however, as far as continuous monitoring is concerned.

Even though the FedRAMP program already provides agencies with guidance and best practices concerning continuous monitoring, section 5911 requires the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to play a part in maintaining the authorization of FedRAMP’ed cloud services through continuous monitoring.

Once enacted into law, agencies will be required to ensure they have continuous monitoring in place for cloud service providers and coordinated with the CISA. For instance, the Federal Secure Cloud Advisory Committee must include one member from the CISA. This means that all agencies which have not already integrated the capabilities of the Continuous Diagnostics and Mitigation (CDM) program and perhaps also the DHS’ EINSTEIN program will be required to do so.

No big deal, right? Perhaps as far as CDM is concerned. It remains to be seen concerning EINSTEIN given that the program has come under attack in Congress for failing to prevent the SolarWinds and Microsoft Exchange hacks. Facing upcoming challenges in December 2022, the EINSTEIN program not being reauthorized could create complications if the law relates it to FedRAMP. Contractors and agencies alike will need to stay alert for potential disruptions if EINSTEIN is not reauthorized and that has an impact on the newly-codified FedRAMP program.