[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 3263 Introduced in Senate (IS)]
<DOC>
114th CONGRESS
2d Session
S. 3263
To promote innovation and realize the efficiency gains and economic
benefits of on-demand computing by accelerating the acquisition and
deployment of innovative technology and computing resources throughout
the Federal Government, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 14, 2016
Mr. Moran (for himself, Mr. Udall, Mr. Daines, and Mr. Warner)
introduced the following bill; which was read twice and referred to the
Committee on Homeland Security and Governmental Affairs
_______________________________________________________________________
A BILL
To promote innovation and realize the efficiency gains and economic
benefits of on-demand computing by accelerating the acquisition and
deployment of innovative technology and computing resources throughout
the Federal Government, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Modernizing Outdated and Vulnerable
Equipment and Information Technology Act of 2016'' or the ``MOVE IT
Act''.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--Congress finds the following:
(1) National Institute of Standards and Technology Special
Publication 800-145 describes cloud computing as an evolving
paradigm for information technology that is a model for
enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (i.e.,
networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management
effort or service provider interaction.
(2) Together, the efficiencies, cost savings, and greater
computing power enabled by cloud computing has the potential
to--
(A) eliminate inappropriate duplication, reduce
costs, and address waste, fraud, and abuse in providing
Government services that are publicly available;
(B) address the critical need for cybersecurity by
design; and
(C) move the Federal Government into a broad
digital-services delivery model that could transform
the fashion in which the Federal Government provides
services to the people of the United States.
(b) Purposes.--The purposes of this Act are to--
(1) accelerate the acquisition and deployment of cloud
computing services by addressing key impediments and roadblocks
in funding, development, and acquisition practices;
(2) support and expand an efficient Federal certification
standard for qualifying cloud services providers under the
Federal Risk and Authorization Management Program using a
``qualify once, use many times'' efficiency model that strikes
an appropriate balance between--
(A) encouraging the adoption of strong security
practices to protect against the harm of cyber
intrusions and hacks; and
(B) avoiding the imposition of unduly burdensome
and restrictive requirements on cloud computing service
providers that would deter investment in innovative
cloud computing services;
(3) assist agencies in migrating to cloud computing
services by providing guidance and oversight of agency
enterprise-wide information technology portfolios suitable for
and identifiable as suitable for a cloud-based delivery model;
and
(4) provide for Federal agencies to procure cloud computing
services that adhere to sound security practices.
SEC. 3. FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM.
(a) In General.--Except as provided under subsection (b), a covered
agency may not store or process Government information on a Federal
information system with any cloud service provider, unless the provider
has an authorization to operate, or a provisional authorization to
operate, covering the proposed scope of work, from the covered agency
or the Joint Authorization Board. A covered agency operating under a
provisional authorization to operate shall issue an authorization to
operate as soon as practicable and may not rely on the provisional
authorization to operate for the duration of the scope of work.
(b) Waiver of Requirements.--
(1) In general.--The Director of National Intelligence, or
a designee of the Director, may waive the applicability to any
national security system of any provision of this section if
the Director of National Intelligence, or the designee,
determines that such waiver is in the interest of national
security.
(2) Notification.--Not later than 30 days after exercising
a waiver under this subsection, the Director of National
Intelligence, or the designee of the Director, as the case may
be, shall submit to the Committee on Homeland Security and
Governmental Affairs and the Select Committee on Intelligence
of the Senate and the Committee on Oversight and Government
Reform and the Permanent Select Committee on Intelligence of
the House of Representatives a statement describing and
justifying the waiver.
(c) Rule of Construction.--Nothing in this section shall be
construed as limiting the ability of the Office of Management and
Budget to update or modify Federal guidelines relating to the security
of cloud computing.
SEC. 4. EXPANDED INDUSTRY COLLABORATION AND METRICS DEVELOPMENT FOR THE
FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM OFFICE.
(a) In General.--The Director shall coordinate with the Federal
Risk and Authorization Management Program Office to establish mandatory
guidelines for the submission of an application for an authorization to
operate and related materials to the Federal Risk and Authorization
Management Program Office.
(b) Contents.--The guidelines established under subsection (a)
shall streamline and accelerate the Federal Risk and Authorization
Management Program accreditation process by meeting the following
requirements:
(1) Not less frequently than monthly, report to the
applicant the status, expected time to completion, and other
key indicators related to compliance for an application for
authorization to operate submitted to the Federal Risk and
Authorization Management Program Office.
(2) Enhanced training and industry liaison opportunities
for covered agencies and cloud service providers.
(3) A clarification of--
(A) the role and authority of third party
assessment organization in the Federal Risk and
Authorization Management Program process for
authorizations to operate by covered agencies;
(B) the extent to which the Federal Risk and
Authorization Management Program Office may identify
and begin to accept or rely upon certifications from
other standards development organizations or third
party assessment organization; and
(C) the responsibility of covered agencies to
sponsor a Federal Risk and Authorization Management
Program authorization to operate as part of making
Federal Risk and Authorization Management Program
compliance a condition for entering into a contract or
providing cloud computing services to a covered agency.
(c) FedRAMP Liaison Group.--
(1) In general.--The Director, in coordination with the
Program Management Office and the National Institute of
Standards and Technology, shall host a public-private industry
cloud commercial working group (in this subsection referred to
as the ``FedRAMP Liaison Group'') representing cloud service
providers.
(2) Composition and functions.--The FedRAMP Liaison Group--
(A) shall include representatives of cloud service
providers;
(B) may include such working groups as are
determined appropriate by the FedRAMP Liaison Group;
(C) shall be hosted by the General Services
Administration, who shall convene plenary meetings on a
quarterly basis with individual working groups meeting
as frequently as determined by the group; and
(D) shall consult with and provide recommendations
directly to the Program Management Office and the Joint
Authorization Board of the Federal Risk and
Authorization Management Program regarding the
operations, processes improvements, and best practices
of the Office and Board.
(3) FACA exemption.--The Federal Advisory Committee Act
shall not apply to the FedRAMP Liaison Group.
(d) Providing Dedicated Agency Support.--The Program Management
Office shall work with each covered agency to support and guide the
efforts of the agency--
(1) to establish and issue the authorization to operate for
the agency;
(2) to facilitate authorization approval, support, and
direct interfacing with cloud service providers; and
(3) to facilitate partnership among agencies to efficiently
support activities related to obtaining an authorization to
operate.
(e) Metrics.--The Director, in coordination with the National
Institute of Standards and Technology and the FedRAMP Liaison Group,
shall establish key performance metrics for the Federal Risk and
Authorization Management Program Office, which shall include--
(1) recommendations for maximum time limits for the
completion of authorizations to operate by service categories
of cloud service providers, not to exceed six months;
(2) targets for the streamlining of the authorization to
operate through the use of innovative templates and transparent
submission requirements; and
(3) recommendations for satisfying Federal continuous
monitoring requirements.
(f) Report Required.--Not later than one year after the date of the
enactment of this Act, the Director shall submit to the Committees on
Appropriations and Oversight and Government Reform of the House of
Representatives and the Committees on Appropriations and Homeland
Security and Governmental Affairs of the Senate a report on the
effectiveness and efficiency of the Federal Risk and Authorization
Management Program Office.
SEC. 5. ADDITIONAL BUDGET AUTHORITIES FOR THE MODERNIZATION OF IT
SYSTEMS.
(a) Assessment of Cloud First Implementation.--Not later than 90
days after the date of the enactment of this Act, the Director, in
consultation with the Chief Information Officers Council, shall assess
cloud computing opportunities and issue policies and guidelines for the
adoption of Governmentwide programs providing for a standardized
approach to security assessment and operational authorization for cloud
computing products and services.
(b) Information Technology System Modernization and Working Capital
Fund.--
(1) Establishment.--There is established in each covered
agency an information technology system modernization and
working capital fund (hereafter ``IT working capital fund'')
for necessary expenses for the agency described in paragraph
(2).
(2) Source of funds.--Amounts may be deposited into an IT
working capital fund as follows:
(A) Reprogramming of funds, including reprogramming
of any funds available on the date of enactment of this
Act for the operation and maintenance of legacy
systems, in compliance with any applicable
reprogramming law or guidelines of the Committees on
Appropriations of the House of Representatives and the
Senate.
(B) Transfer of funds, including transfer of any
funds available on the date of enactment of this Act
for the operation and maintenance of legacy systems,
but only if transfer authority is specifically provided
for by law.
(C) Amounts made available through discretionary
appropriations.
(3) Use of funds.--An IT working capital fund established
under paragraph (1) may be used only for the following:
(A) The replacement of a legacy information
technology system.
(B) The transition to cloud computing and
innovative platforms and technologies subject to a
transition plan for any project that costs more than
$5,000,000 and approved by the Federal Chief
Information Officer according to such guidelines as the
Office of Management and Budget may designate.
(C) To assist and support agency efforts to provide
adequate, risk-based, and cost-effective information
technology capabilities that address evolving threats
to information security.
(D) Developmental, modernization, and enhancement
activities of information technology.
(4) Existing funds.--An IT working capital fund may not be
used to supplant funds provided for the operation and
maintenance of any system already within an appropriation for
the agency at the time of establishment of the IT working
capital fund.
(5) Reprogramming and transfer of funds.--The head of each
covered agency shall prioritize funds within the IT working
capital fund to be used initially for cost savings activities
approved by the Federal Chief Information Officer, in
consultation with the Chief Information Officer of the covered
agency. The head of each covered agency may--
(A) reprogram any amounts saved as a direct result
of such activities for deposit into the applicable IT
working capital fund, consistent with paragraph (2)(A),
except that any such reprogramming of amounts in excess
of $500,000 shall be reported to the Committees on
Appropriations of the House of Representatives and the
Senate 30 days in advance of such reprogramming; and
(B) may transfer any amounts saved as a direct
result of such activities for deposit into the
applicable IT working capital fund, consistent with
paragraph (2)(B), except that any such transfer of
amounts in excess of $500,000 shall be reported to the
Committees on Appropriations of the House of
Representatives and the Senate 30 days in advance of
such transfer.
(6) Return of funds.--Any funds deposited into an IT
working capital fund must be obligated no later than 3 years
after the date of such deposit. Any funds that are unobligated
3 years after such date shall be rescinded and deposited into
the general fund of the Treasury and reported to the Committees
on Appropriations of the House of Representatives and the
Senate.
(7) Semiannual report required.--Not later than 6 months
after the date of the enactment of this Act, and semiannually
thereafter, the head of any covered agency that uses an IT
working capital fund shall submit to the Committees on
Appropriations and Oversight and Government Reform of the House
of Representatives and the Committees on Appropriations and
Homeland Security and Governmental Affairs of the Senate a
report on the obligation and expenditure of funds made
available under this section.
(c) GAO Report.--Not later than one year after the date of the
enactment of this Act, and annually thereafter for five years, the
Comptroller General of the United States shall submit to the Committees
on Appropriations and Oversight and Government Reform of the House of
Representatives and the Committees on Appropriations and Homeland
Security and Governmental Affairs of the Senate a report--
(1) on the implementation and operation of each IT working
capital fund established under this section;
(2) that identifies current practices and compares the
practices with industry best practices in areas such as the
effective oversight and governance of a cloud computing working
capital fund; and
(3) that describes the basis for the use and operation of
an IT working capital fund, the efficacy of the working capital
fund to accelerate technology transitions, and recommendations
for further improvement for the working capital fund.
SEC. 6. DEFINITIONS.
In this Act:
(1) Authorization to operate.--The term ``authorization to
operate'' means an approval and accreditation, including a
provisional authorization to operate, regarding the security
and operational qualifications of a cloud computing service
provider to offer secure, reliable cloud computing service to a
covered agency, that may be issued by the Joint Authorization
Board, any successor entity, or the head of a covered agency.
(2) Cloud computing.--The term ``cloud computing'' has the
meaning given that term by the National Institute of Standards
and Technology in NIST Special Publication 800-145 and any
amendatory or superseding document thereto.
(3) Cloud service provider.--The term ``cloud service
provider'' means an entity offering cloud computing
infrastructure, platforms, or software for commercial and
Government entities.
(4) Covered agency.--The term ``covered agency'' means each
agency listed in section 901(b) of title 31, United States
Code.
(5) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(6) Federal risk and authorization management program
office.--The term ``Federal Risk and Authorization Management
Program Office'' or ``Program Management Office'' means the
Federal Risk and Authorization Management Program Office, or
any successor thereto.
(7) Information system.--The term ``information system''
has the meaning given that term under section 3502 of title 44,
United States Code.
(8) Information technology.--The term ``information
technology'' has the meaning given that term under section
11101 of title 40, United States Code.
(9) Legacy information technology system.--The term
``legacy information technology system'' means an outdated or
obsolete information technology that is no longer supported by
the originating vendor or manufacturer.
(10) National security system.--The term ``national
security system'' has the meaning given that term under section
3552 of title 44, United States Code.
(11) Third party assessment organization.--The term ``third
party assessment organization'' means a third party
accreditation body that conducts a conformity assessment of a
cloud service data provider to ensure the provider meets
security and operational guidelines issued by the Federal Risk
and Authorization Management Program Office.
<all>