

115 HR 6550 IH: Federal Risk and Authorization Management Program Reform Act of 2018
U.S. House of Representatives
2018-07-26
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I115th CONGRESS2d SessionH. R. 6550IN THE HOUSE OF REPRESENTATIVESJuly 26, 2018Mr. Connolly (for himself and Mr. Meadows) introduced the following bill; which was referred to the Committee on Oversight and Government ReformA BILLTo enhance the innovation, security, and availability of Federal Government cloud services by
			 establishing the Federal Risk and Authorization Management Program within
			 the Office of Management and Budget Office of Electronic Government and by
			 establishing a risk management, authorization, and continuous monitoring
			 process to enable the Federal Government to leverage cloud computing
			 services using a risk-based approach consistent with the Federal
			 Information Security Reform Act of 2014 and cloud-based operations, and
			 for other purposes.
	
 1.Short titleThis Act may be cited as the Federal Risk and Authorization Management Program Reform Act of 2018 or the FedRAMP Authorization Act. 2.Codification of the FedRAMP program (a)AmendmentChapter 36 of title 44, United States Code, is amended by adding at the end the following new sections:
				
					3607.Federal Risk and Authorization Management Program
 (a)EstablishmentThere is established within the General Services Administration, an office to be known as the FedRAMP Program Management Office that shall be responsible for the Federal Risk and Authorization Management Program. FedRAMP is a specific Government certification program that examines and accredits cloud service providers that offer Federal cloud computing services for sale, lease, or purchase to Federal agency cloud customers. The FedRAMP Program Management Office embodies the goal of a qualify once, use many times process through the issuance of certifications in the form of provisional authorizations to operate.
 (b)Components of FedRAMPThere are established as components of FedRAMP the Joint Authorization Board and the Program Management Office, or such successor offices as the Office of Management and Budget, through the Office of Electronic Government may determine.
 (c)FedRAMP dutiesThe Director of the Office of Management and Budget and the Administrator of General Services, or their designees, shall work together to do the following:
 (1)Issue guidance on categories and characteristics of information technology goods or services that are within the jurisdiction of FedRAMP and that require FedRAMP certification.
 (2)Issue guidance for the establishment and implementation of FedRAMP to conduct security assessments, reviews, and appropriate oversight of continuous monitoring of cloud services used by agencies.
 (3)Not later than 180 days after the date of the enactment of this section, and annually thereafter, submit to Congress a report on the status and performance of the FedRAMP Program Management Office, including the status and disposition of waiver requests to FedRAMP submitted to the FedRAMP Program Management Office by agencies and a description of and progress towards meeting the metrics adopted by the FedRAMP Program Management Office pursuant to section 3608(e), as submitted to the Administrator by that Office.
							3608.Roles and responsibilities of the FedRAMP Program Management Office
 (a)ImplementationUpon delegation from the Office of Electronic Government, the Administrator shall oversee the implementation of FedRAMP, including—
 (1)appointing a Program Director to oversee the FedRAMP Program Management Office; (2)hiring professional staff as may be necessary for the effective operation of the FedRAMP Program Management Office, and such other activities as are essential to properly perform critical functions; and
 (3)such other actions as the Administrator may determine necessary to carry out this section. (b)Authority and DutiesThe FedRAMP Program Management Office shall have the following authority and duties:
 (1)Provide guidance to agencies, regarding compliance with requirements, guidelines, and standards developed by the National Institute of Standards and Technology.
 (2)Provide guidance to third party assessment organizations in using and applying the requirements, guidelines, and standards adopted by FedRAMP.
 (3)Provide guidance to agencies on appropriate use of and acquisition of FedRAMP approved services, including the role of cloud brokers and cloud service integrators.
 (4)In consultation with the Director and the Secretary of Homeland Security, issue guidance for agencies on monitoring and reporting on the usage and demand of cloud computing, use of automation, and use of commercial cloud services to the fullest extent practical.
 (5)In consultation with the Federal Chief Information Officer, oversee and issue guidelines regarding the qualifications, roles, and responsibilities of third party assessment organizations, in consultation with the National Institute of Standards and Technology.
 (6)Develop standards and templates, including a summary risk report template for third party assessment organizations that informs the security assessment report to complement the existing authorization package artifacts and serve as an authorization decision-making tool.
 (7)Coordinate with stakeholders to provide guidance and recommendations to FedRAMP. Stakeholders to include—
 (A)agency cloud customers; (B)cloud service providers;
 (C)third party assessment organizations; (D)agency Offices of Inspector General; and
 (E)the Government Accountability Office. (8)Establish and maintain a public comment process for newly issued or revised guidance adopted by FedRAMP.
 (c)Evaluation of automation proceduresThe FedRAMP Program Management Office shall assess and evaluate available automation procedures to accelerate the processing of FedRAMP applications.
 (d)Metrics for certificationThe FedRAMP Program Management Office shall adopt specific metrics regarding the time, cost, and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time, which shall be done in conjunction with the periodic testing and evaluation process pursuant to subchapter II of chapter 35 in a manner that minimizes the agency reporting burden.
						3609.Roles and responsibilities of the Joint Authorization Board
 (a)EstablishmentThere is established the Joint Authorization Board which shall consist of the Chief Information Officers or their designees of the Department of Defense, the Department of Homeland Security, and the General Services Administration.
 (b)Issuance of provisional authorizations To operateThe Joint Authorization Board shall have the authority to issue provisional authorizations to operate to cloud service providers that meet FedRAMP security guidelines set forth in the Common Security Control Baseline.
 (c)DutiesThe Joint Authorization Board shall— (1)review and validate cloud service provider and third party assessment organization security assessment packages;
 (2)in consultation with the FedRAMP Program Management Office, serve as a resource for best practices to accelerate the FedRAMP process;
 (3)obtain such professional staff as may be necessary for the effective operation of FedRAMP and such other activities as are essential to properly perform critical functions;
 (4)such other roles and responsibilities as the FedRAMP Program Management Office may assign, as agreed to by the FedRAMP Program Management Office and members of the Joint Authorization Board; and
 (5)appoint technical representatives responsible for FedRAMP activities within each Joint Authorization Board agency.
							3610.Roles and responsibilities of third party assessment organizations
 (a)Requirements for certificationThe FedRAMP Program Management Office, in consultation with the Joint Authorization Board, shall determine the requirements for certification of third party assessment organizations. Such requirements may include developing or requiring certification programs for individuals employed by the third party assessment organizations who lead FedRAMP assessment teams.
 (b)AssessmentAccredited third party assessment organizations shall assess, validate, and attest to the quality and compliance of security assessment materials provided by cloud service providers.
 (c)Summary risk reportAccredited third party assessment organizations shall develop a risk report that summarizes the security assessment report to complement the existing authorization package artifacts and serve as an authorization decision making tool.
						3611.Roles and responsibilities of agencies
 (a)In generalIn implementing and enforcing the requirements of FedRAMP, Federal agency cloud customers shall— (1)create policies to implement FedRAMP requirements;
 (2)issue agency-specific authorizations to operate for Federal cloud computing services in compliance with subchapter II of chapter 35;
 (3)be in compliance with any FedRAMP requirements, unless a waiver is issued by the Director; (4)provide data to the Director on how agencies are meeting metrics as defined by the FedRAMP Program Management Office pursuant to section 3614(b); and
 (5)if applicable, ensure that any contract is in compliance with FedRAMP requirements. (b)Submission of policies requiredNot later than 6 months after the date of the enactment of this section, Federal agency cloud customers shall submit to the Director the policies created pursuant to subsection (a)(1) for review and approval.
 (c)Submission of authorizations To operate requiredUpon issuance of an authorization to operate, the head of the relevant agency shall provide a copy of the authorization to operate letter to the FedRAMP Program Management Office and the cloud service provider to enable the FedRAMP Program Management Office to track and assess all forms of authorizations to operate on a Governmentwide basis.
 (d)Presumption of adequacyAny provisional authorization to operate issued by the Joint Authorization Board shall be considered to be presumptively adequate by agencies, subject to technical or programmatic rebuttal by an agency that disagrees with adequacy or sufficiency of the certification. This rebuttable presumption of adequacy shall not derogate, modify, or alter the responsibility of any agency to ensure compliance with the subchapter II of chapter 35 for any Federal cloud computing services that the agency deploys.
 (e)Waiver or exceptionThe Chief Information Officer of each agency may request a waiver or exception to specific FedRAMP requirements. Such request for waiver shall be in accordance with the determinations and finding issued under section 3612(2). The determination and findings shall be submitted to the FedRAMP Program Management Office and the Director, along with such supporting articles as may be required under guidelines issued by FedRAMP.
 (f)Agency reports requiredNot later than 90 days after the date of which any guidance is issued pursuant to section 3608(b)(4) from the FedRAMP Program Management Office, the head of each agency shall submit to the Director a report on cloud computing usage and the potential demand for cloud computing.
 3612.Roles and Responsibilities of the Office of Management and BudgetThe Director shall have the following duties: (1)Highlight current guidance or issue new guidance to ensure that an agency does not operate a Federal Government cloud computing service using Government data without issuing an authorization to operate issued by the agency that meets the requirements of subchapter II of chapter 35 and FedRAMP.
 (2)Issue guidance and templates for agency determinations and findings for waivers to the requirements of FedRAMP (any request by an agency for such a waiver must set forth unique agency-specific technical, operational, or managerial requirements necessary for agency operations).
 (3)Define alternatives and agency best practices for compliance with the Trusted Internet Connection for agencies connecting to a cloud service provider.
 (4)Grant waivers or exceptions to specific FedRAMP requirements as may be necessary by the submission of agency determinations and findings that meet the OMB guidelines for FedRAMP waivers pursuant to paragraph (2).
 (5)Ensure agencies are in compliance with any guidance or other requirements issued related to FedRAMP.
 3613.Funding of FedRAMPThe FedRAMP Program Management Office may, to the extent deemed appropriate by the Administrator and in consultation with the Director, use funds contained within the Acquisition Services Fund described under section 321 of title 40 or such other funds as may be available for the operations of FedRAMP.
					3614.Reporting
 (a)In generalNot later than 18 months after the date of the enactment of this section, and annually thereafter, the Director shall submit to the Committee on Oversight and Government Reform of the House of Representatives and the Committee on Homeland Security and Government Affairs of the Senate a report that includes the following:
 (1)The status, efficiency, and effectiveness of FedRAMP during the preceding year in authorizing and recertifying secure cloud solutions for Federal agency cloud customers.
 (2)The length of time for Federal agency cloud customers to issue authorizations to operate during the preceding year.
 (3)Agency requests for FedRAMP waivers. (4)Progress during the preceding year in advancing automation techniques to securely automate FedRAMP processes and to accelerate reporting as described in this section.
 (5)Number of cloud computing systems in use at each agency and the number of cloud computing authorizations to operate.
 (b)GAO reportNot later than 2 years after the date of enactment of this section, and every three years thereafter, the Comptroller General shall submit to the Oversight and Government Reform Committee of the House of Representatives and the Homeland Security and Governmental Affairs Committee of the Senate an assessment of FedRAMP, third party assessment organizations, and Federal agency cloud customers, including the following:
 (1)An evaluation of the impact and continuing need for specific cloud security controls. (2)A review of the adequacy of resources to run FedRAMP.
 (3)The development of reusability and the potential for the use and adoption of reciprocal standards, whether from Government or the private sector, as substitutes for specific security controls in use by the FedRAMP Project Management Office.
							3615.Definitions
 (a)In generalExcept as provided under paragraph (2), the definitions under sections 3502 and 3552 apply to sections 3607 through 3614.
 (b)Additional definitionsIn sections 3607 through 3614: (1)AdministratorThe term Administrator means the Administrator of General Services.
 (2)Cloud brokerThe term cloud broker means an entity that manages the use, performance, and delivery of cloud computing services and negotiates relationships between cloud service providers and cloud consumers.
 (3)Cloud computingThe term cloud computing means a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (as defined by the National Institute of Standards and Technology pursuant to the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), including NIST Special Publication 800–145) or any successor thereto.
 (4)Cloud service integratorThe term cloud service integrator means a systems or service integrator that specializes in cloud computing services. (5)Cloud service providerThe term cloud service provider means a third party entity offering cloud computing services to the Federal Government.
 (6)Common security control baselineThe term common security control baseline means the guidance issued pursuant to section 3607(c)(2). (7)DirectorThe term Director means the Director of the Office of Management and Budget.
 (8)Federal agency cloud customerThe term Federal agency cloud customer means an agency using cloud computing services. (9)Federally controlled information systemThe term federally controlled information system or Federal information system means an information system used or operated by a Federal agency cloud customer as set forth and in compliance with the guidelines and requirements of section 3554 of title 40.
 (10)Federal Government cloud computing servicesThe term Federal Government cloud computing services means a cloud computing service that is used or operated by a Federal agency cloud customer upon a federally controlled information system.
 (11)FedRAMPThe term FedRAMP means the Federal Risk and Authorization Management Program established under section 3607(a). (12)FedRAMP Program Management OfficeThe term FedRAMP Program Management Office means the office that administers FedRAMP.
 (13)FedRAMP security controls baselineThe term FedRAMP security controls baseline means those security controls that cloud service providers and agencies must, at a minimum, address to receive a provisional authorization to operate, as defined by the FedRAMP Program Management Office.
 (14)Joint Authorization BoardThe term Joint Authorization Board means the Joint Authorization Board established under section 3609. (15)Technical representativeThe term technical representative means an agency’s technical representative to the Joint Authorization Board designated by the member agency of the Joint Authorization Board.
 (16)Third party assessment organizationThe term third party assessment organization means a third-party organization accredited by the Program Director of the FedRAMP Program Management Office to undertake conformity assessments of cloud service providers..
 (b)Technical and conforming amendmentThe table of sections for chapter 36 of title 44, United States Code, is amended by adding at the end the following new items:
				
					
						3607. Federal Risk and Authorization Management Program.
						3608. Roles and responsibilities of the FedRAMP Program Management Office.
						3609. Roles and responsibilities of the Joint Authorization Board.
						3610. Roles and responsibilities of third party assessment organizations.
						3611. Roles and responsibilities of the agencies.
						3612. Funding of FedRAMP.
						3613. Reporting.
						3614. Definitions..
			