[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3099 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 383
117th CONGRESS
  2d Session
                                S. 3099

                          [Report No. 117-115]

 To amend title 44, United States Code, to establish the Federal Risk 
   and Authorization Management Program within the General Services 
                Administration, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 28, 2021

   Mr. Peters (for himself, Ms. Hassan, Mr. Hawley, and Mr. Daines) 
introduced the following bill; which was read twice and referred to the 
        Committee on Homeland Security and Governmental Affairs

                              May 24, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To amend title 44, United States Code, to establish the Federal Risk 
   and Authorization Management Program within the General Services 
                Administration, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Federal Secure Cloud 
Improvement and Jobs Act of 2021''.</DELETED>

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress finds the following:</DELETED>
        <DELETED>    (1) Ensuring that the Federal Government can 
        securely leverage cloud computing products and services is key 
        to expediting the modernization of legacy information 
        technology systems, increasing cybersecurity within and across 
        departments and agencies, and supporting the continued 
        leadership of the United States in technology innovation and 
        job creation.</DELETED>
        <DELETED>    (2) According to independent analysis, as of 
        calendar year 2019, the size of the cloud computing market had 
        tripled since 2004, enabling more than 2,000,000 jobs and 
        adding more than $200,000,000,000 to the gross domestic product 
        of the United States.</DELETED>
        <DELETED>    (3) The Federal Government, across multiple 
        presidential administrations and Congresses, has continued to 
        support the ability of agencies to move to the cloud, including 
        through--</DELETED>
                <DELETED>    (A) President Barack Obama's ``Cloud First 
                Strategy'';</DELETED>
                <DELETED>    (B) President Donald Trump's ``Cloud Smart 
                Strategy'';</DELETED>
                <DELETED>    (C) the prioritization of cloud security 
                in Executive Order 14208 (86 Fed. Reg. 26633; relating 
                to improving the Nation's cybersecurity), which was 
                issued by President Joe Biden; and</DELETED>
                <DELETED>    (D) more than a decade of appropriations 
                and authorization legislation that provides agencies 
                with relevant authorities and appropriations to 
                modernize on-premises information technology systems 
                and more readily adopt cloud computing products and 
                services.</DELETED>
        <DELETED>    (4) Since it was created in 2011, the Federal Risk 
        and Authorization Management Program (referred to in this 
        section as ``FedRAMP'') at the General Services Administration 
        has made steady and sustained improvements in supporting the 
        secure authorization and reuse of cloud computing products and 
        services within the Federal Government, including by reducing 
        the costs and burdens on both agencies and cloud companies to 
        quickly and securely enter the Federal market.</DELETED>
        <DELETED>    (5) According to data from the General Services 
        Administration, as of the end of fiscal year 2021, there were 
        239 cloud providers with FedRAMP authorizations, and those 
        authorizations had been reused more than 2,700 times across 
        various agencies.</DELETED>
        <DELETED>    (6) Providing a legislative framework for FedRAMP 
        and new authorities to the General Services Administration, the 
        Office of Management and Budget, and Federal agencies will--
        </DELETED>
                <DELETED>    (A) improve the speed at which new cloud 
                computing products and services can be securely 
                authorized;</DELETED>
                <DELETED>    (B) enhance the ability of agencies to 
                effectively evaluate FedRAMP authorized providers for 
                reuse;</DELETED>
                <DELETED>    (C) reduce the costs and burdens to cloud 
                providers seeking a FedRAMP authorization; 
                and</DELETED>
                <DELETED>    (D) provide for more robust transparency 
                and dialogue between industry and the Federal 
                Government to drive stronger adoption of secure cloud 
                capabilities, create jobs, and reduce wasteful legacy 
                information technology.</DELETED>

<DELETED>SEC. 3. TITLE 44 AMENDMENTS.</DELETED>

<DELETED>    (a) Amendment.--Chapter 36 of title 44, United States 
Code, is amended by adding at the end the following:</DELETED>
<DELETED>``Sec. 3607. Definitions</DELETED>
<DELETED>    ``(a) In General.--Except as provided under subsection 
(b), the definitions under sections 3502 and 3552 apply to this section 
through section 3616.</DELETED>
<DELETED>    ``(b) Additional Definitions.--In this section through 
section 3616:</DELETED>
        <DELETED>    ``(1) Cloud computing.--The term `cloud computing' 
        has the meaning given the term in Special Publication 800-145 
        of the National Institute of Standards and 
        Technology.</DELETED>
        <DELETED>    ``(2) Cloud service provider.--The term `cloud 
        service provider' means an entity offering cloud computing 
        products or services to agencies.</DELETED>
        <DELETED>    ``(3) FedRAMP.--The term `FedRAMP' means the 
        Federal Risk and Authorization Management Program established 
        under section 3608.</DELETED>
        <DELETED>    ``(4) FedRAMP authorization.--The term `FedRAMP 
        authorization' means a certification that a cloud computing 
        product or service has--</DELETED>
                <DELETED>    ``(A) completed a FedRAMP authorization 
                process, as determined by the Administrator of General 
                Services; or</DELETED>
                <DELETED>    ``(B) received a FedRAMP provisional 
                authorization to operate, as determined by the FedRAMP 
                Board.</DELETED>
        <DELETED>    ``(5) FedRAMP authorization package.--The term 
        `FedRAMP authorization package' means the essential information 
        that can be used by an agency to determine whether to authorize 
        the operation of an information system or the use of a 
        designated set of common controls for all cloud computing 
        products and services authorized by FedRAMP.</DELETED>
        <DELETED>    ``(6) FedRAMP board.--The term `FedRAMP Board' 
        means the board established under section 3610.</DELETED>
        <DELETED>    ``(7) Independent assessment organization.--The 
        term `independent assessment organization' means a third-party 
        organization accredited by the Administrator of General 
        Services to undertake conformity assessments of cloud service 
        providers and their products or services.</DELETED>
        <DELETED>    ``(8) Secretary.--The term `Secretary' means the 
        Secretary of Homeland Security.</DELETED>
<DELETED>``Sec. 3608. Federal Risk and Authorization Management 
              Program</DELETED>
<DELETED>    ``There is established within the General Services 
Administration the Federal Risk and Authorization Management Program. 
The Administrator of General Services, subject to section 3613, shall 
establish a Government-wide program that provides a standardized, 
reusable approach to security assessment and authorization for cloud 
computing products and services that process unclassified information 
used by agencies.</DELETED>
<DELETED>``Sec. 3609. Roles and responsibilities of the General 
              Services Administration</DELETED>
<DELETED>    ``(a) Roles and Responsibilities.--The Administrator of 
General Services shall--</DELETED>
        <DELETED>    ``(1) in consultation with the Secretary, develop, 
        coordinate, and implement a process to support agency review, 
        reuse, and standardization, where appropriate, of security 
        assessments of cloud computing products and services, 
        including, as appropriate, oversight of continuous monitoring 
        of cloud computing products and services, pursuant to guidance 
        issued by the Director pursuant to section 3613;</DELETED>
        <DELETED>    ``(2) establish processes and identify criteria 
        consistent with guidance issued by the Director under section 
        3613 to make a cloud computing product or service eligible for 
        a FedRAMP authorization and validate whether a cloud computing 
        product or service has a FedRAMP authorization;</DELETED>
        <DELETED>    ``(3) develop and publish templates, best 
        practices, technical assistance, and other materials to support 
        the authorization of cloud computing products and services and 
        increase the speed, effectiveness, and transparency of the 
        authorization process, consistent with standards established by 
        the Director of the National Institute of Standards and 
        Technology and relevant statutes;</DELETED>
        <DELETED>    ``(4) grant FedRAMP authorizations to cloud 
        computing products and services consistent with the guidance 
        and direction of the FedRAMP Board;</DELETED>
        <DELETED>    ``(5) establish and maintain a public comment 
        process for proposed guidance and other FedRAMP directives that 
        may have a direct impact on cloud service providers and 
        agencies before the issuance of such guidance or other FedRAMP 
        directives;</DELETED>
        <DELETED>    ``(6) coordinate with the FedRAMP Board, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, and other entities identified by the Administrator of 
        General Services, with the concurrence of the Director and the 
        Secretary, to establish and regularly update a framework for 
        continuous monitoring under section 3553;</DELETED>
        <DELETED>    ``(7) provide a secure mechanism for storing and 
        sharing necessary data, including FedRAMP authorization 
        packages, to enable better reuse of such packages across 
        agencies, including making available any information and data 
        necessary for agencies to fulfill the requirements of section 
        3612;</DELETED>
        <DELETED>    ``(8) provide regular updates to applicant cloud 
        service providers on the status of any cloud computing product 
        or service during an assessment process;</DELETED>
        <DELETED>    ``(9) regularly review, in consultation with the 
        FedRAMP Board, the costs associated with the independent 
        assessment services of the third-party organizations described 
        in section 3611;</DELETED>
        <DELETED>    ``(10) support the Federal Secure Cloud Advisory 
        Committee established pursuant to section 3616; and</DELETED>
        <DELETED>    ``(11) take such other actions as the 
        Administrator of General Services may determine necessary to 
        carry out FedRAMP.</DELETED>
<DELETED>    ``(b) Website.--</DELETED>
        <DELETED>    ``(1) In general.--The Administrator of General 
        Services shall maintain a public website to serve as the 
        authoritative repository for FedRAMP, including the timely 
        publication and updates for all relevant information, guidance, 
        determinations, and other materials required under subsection 
        (a).</DELETED>
        <DELETED>    ``(2) Criteria and process for fedramp 
        authorization priorities.--The Administrator of General 
        Services shall develop and make publicly available on the 
        website described in paragraph (1) the criteria and process for 
        prioritizing and selecting cloud computing products and 
        services that will receive a FedRAMP authorization, in 
        consultation with the FedRAMP Board and the Chief Information 
        Officers Council.</DELETED>
<DELETED>    ``(c) Evaluation of Automation Procedures.--</DELETED>
        <DELETED>    ``(1) In general.--The Administrator of General 
        Services, in coordination with the Secretary, shall assess and 
        evaluate available automation capabilities and procedures to 
        improve the efficiency and effectiveness of the issuance of 
        FedRAMP authorizations, including continuous monitoring of 
        cloud computing products and services.</DELETED>
        <DELETED>    ``(2) Means for automation.--Not later than 1 year 
        after the date of enactment of this section, and updated 
        regularly thereafter, the Administrator of General Services 
        shall establish a means for the automation of security 
        assessments and reviews.</DELETED>
<DELETED>    ``(d) Metrics for Authorization.--The Administrator of 
General Services shall establish annual metrics regarding the time and 
quality of the assessments necessary for completion of a FedRAMP 
authorization process in a manner that can be consistently tracked over 
time in conjunction with the periodic testing and evaluation process 
pursuant to section 3554 in a manner that minimizes the agency 
reporting burden.</DELETED>
<DELETED>``Sec. 3610. FedRAMP Board</DELETED>
<DELETED>    ``(a) Establishment.--There is established a FedRAMP Board 
to provide input and recommendations to the Administrator of General 
Services regarding the requirements and guidelines for, and the 
prioritization of, security assessments of cloud computing products and 
services.</DELETED>
<DELETED>    ``(b) Membership.--The FedRAMP Board shall consist of not 
more than 7 senior officials or experts from agencies appointed by the 
Director, in consultation with the Administrator of General Services, 
from each of the following:</DELETED>
        <DELETED>    ``(1) The Department of Defense.</DELETED>
        <DELETED>    ``(2) The Department of Homeland 
        Security.</DELETED>
        <DELETED>    ``(3) The General Services 
        Administration.</DELETED>
        <DELETED>    ``(4) Such other agencies as determined by the 
        Director, in consultation with the Administrator of General 
        Services.</DELETED>
<DELETED>    ``(c) Qualifications.--Members of the FedRAMP Board 
appointed under subsection (b) shall have technical expertise in 
domains relevant to FedRAMP, such as--</DELETED>
        <DELETED>    ``(1) cloud computing;</DELETED>
        <DELETED>    ``(2) cybersecurity;</DELETED>
        <DELETED>    ``(3) privacy;</DELETED>
        <DELETED>    ``(4) risk management; and</DELETED>
        <DELETED>    ``(5) other competencies identified by the 
        Director to support the secure authorization of cloud services 
        and products.</DELETED>
<DELETED>    ``(d) Duties.--The FedRAMP Board shall--</DELETED>
        <DELETED>    ``(1) in consultation with the Administrator of 
        General Services, serve as a resource for best practices to 
        accelerate the process for obtaining a FedRAMP 
        authorization;</DELETED>
        <DELETED>    ``(2) establish and regularly update requirements 
        and guidelines for security authorizations of cloud computing 
        products and services, consistent with standards established by 
        the Director of the National Institute of Standards and 
        Technology, to be used in the determination of FedRAMP 
        authorizations;</DELETED>
        <DELETED>    ``(3) monitor and oversee, to the greatest extent 
        practicable, the processes and procedures by which agencies 
        determine and validate requirements for a FedRAMP 
        authorization, including periodic review of the agency 
        determinations described in section 3612(b);</DELETED>
        <DELETED>    ``(4) ensure consistency and transparency between 
        agencies and cloud service providers in a manner that minimizes 
        confusion and engenders trust; and</DELETED>
        <DELETED>    ``(5) perform such other roles and 
        responsibilities as the Director may assign, with concurrence 
        from the Administrator of General Services.</DELETED>
<DELETED>    ``(e) Determinations of Demand for Cloud Computing 
Products and Services.--The FedRAMP Board may consult with the Chief 
Information Officers Council to establish a process, which may be made 
available on the website maintained under section 3609(b), for 
prioritizing and accepting the cloud computing products and services to 
be granted a FedRAMP authorization.</DELETED>
<DELETED>``Sec. 3611. Independent assessment organizations</DELETED>
<DELETED>    ``(a) Requirements for Accreditation.--The Administrator 
of General Services may, consistent with guidance issued by the 
Director, determine the requirements for accreditation of a third-party 
organization to perform independent assessments and other activities 
that will improve the overall performance of FedRAMP and reduce the 
cost of FedRAMP authorizations for cloud service providers. Such 
requirements may include developing or requiring certification programs 
for individuals employed by the third-party organization seeking 
accreditation.</DELETED>
<DELETED>    ``(b) Certification.--The Administrator of General 
Services may accredit any third-party organization that meets the 
requirements for accreditation determined under subsection (a). If 
accredited pursuant to the requirements determined under subsection 
(a), a certified independent assessment organization may assess, 
validate, and attest to the quality and compliance of security 
assessment materials provided by cloud service providers.</DELETED>
<DELETED>``Sec. 3612. Roles and responsibilities of agencies</DELETED>
<DELETED>    ``(a) In General.--In implementing the requirements of 
FedRAMP, the head of each agency shall, consistent with guidance issued 
by the Director pursuant to section 3613--</DELETED>
        <DELETED>    ``(1) promote the use of cloud computing products 
        and services that meet FedRAMP security requirements and other 
        risk-based performance requirements as determined by the 
        Director, in consultation with the Secretary;</DELETED>
        <DELETED>    ``(2) confirm whether there is a FedRAMP 
        authorization in the secure mechanism provided under section 
        3609(a)(7) before beginning the process of granting a FedRAMP 
        authorization for a cloud computing product or 
        service;</DELETED>
        <DELETED>    ``(3) to the extent practicable, for any cloud 
        computing product or service the agency seeks to authorize that 
        has received a FedRAMP authorization, use the existing 
        assessments of security controls and materials within the 
        FedRAMP authorization package; and</DELETED>
        <DELETED>    ``(4) provide data and information required to the 
        Director pursuant to section 3613 to determine how agencies are 
        meeting metrics established by the Administrator of General 
        Services.</DELETED>
<DELETED>    ``(b) Attestation.--Upon completing an assessment or 
authorization activity with respect to a particular cloud computing 
product or service, if an agency determines that the information and 
data the agency has reviewed under paragraph (2) or (3) of subsection 
(a) is wholly or substantially deficient for the purposes of performing 
an authorization of the cloud computing product or service, the head of 
the agency shall document as part of the resulting FedRAMP 
authorization package the reasons for this determination.</DELETED>
<DELETED>    ``(c) Submission of Authorizations To Operate Required.--
Upon issuance of an agency authorization to operate based on a FedRAMP 
authorization, the head of the agency shall provide a copy of its 
authorization to operate letter and any supplementary information 
required pursuant to section 3609(a) to the Administrator of General 
Services.</DELETED>
<DELETED>    ``(d) Submission of Policies Required.--Not later than 180 
days after the date on which the Director issues guidance in accordance 
with section 3613, the head of each agency, acting through the agency 
chief information officer of the agency, shall submit to the Director 
all agency policies relating to the authorization of cloud computing 
products and services.</DELETED>
<DELETED>    ``(e) Presumption of Adequacy.--</DELETED>
        <DELETED>    ``(1) In general.--The assessment of security 
        controls and materials within the authorization package for a 
        FedRAMP authorization shall be presumed adequate for use in an 
        agency authorization to operate cloud computing products and 
        services.</DELETED>
        <DELETED>    ``(2) Information security requirements.--The 
        presumption under paragraph (1) does not modify or alter--
        </DELETED>
                <DELETED>    ``(A) the responsibility of any agency to 
                ensure compliance with subchapter II of chapter 35 for 
                any cloud computing products or services used by the 
                agency; or</DELETED>
                <DELETED>    ``(B) the authority of the head of any 
                agency to make a determination that there is a 
                demonstrable need for additional security requirements 
                beyond the security requirements included in a FedRAMP 
                authorization for a particular control 
                implementation.</DELETED>
<DELETED>``Sec. 3613. Roles and responsibilities of the Office of 
              Management and Budget</DELETED>
<DELETED>    ``(a) Roles and Responsibilities.--The Director shall--
</DELETED>
        <DELETED>    ``(1) in consultation with the Administrator of 
        General Services and the Secretary, issue guidance that--
        </DELETED>
                <DELETED>    ``(A) specifies the categories or 
                characteristics of cloud computing products and 
                services that are within the scope of 
                FedRAMP;</DELETED>
                <DELETED>    ``(B) includes requirements for agencies 
                to obtain a FedRAMP authorization when operating a 
                cloud computing product or service described in 
                subparagraph (A) as a Federal information system; 
                and</DELETED>
                <DELETED>    ``(C) encompasses, to the greatest extent 
                practicable, all necessary and appropriate cloud 
                computing products and services;</DELETED>
        <DELETED>    ``(2) issue guidance describing additional 
        responsibilities of FedRAMP and the FedRAMP Board to accelerate 
        the adoption of secure cloud computing services by the Federal 
        Government;</DELETED>
        <DELETED>    ``(3) oversee the effectiveness of FedRAMP and the 
        FedRAMP Board, including the compliance by the FedRAMP Board 
        with the duties described in section 3610(d); and</DELETED>
        <DELETED>    ``(4) to the greatest extent practicable, 
        encourage and promote consistency of the assessment, 
        authorization, adoption, and use of cloud computing products 
        and services within and across agencies.</DELETED>
<DELETED>``Sec. 3614. Authorization of appropriations for 
              FedRAMP</DELETED>
<DELETED>    ``There is authorized to be appropriated to the 
Administrator of General Services $20,000,000 for each fiscal year for 
FedRAMP and the FedRAMP Board.</DELETED>
<DELETED>``Sec. 3615. Reports to congress; GAO report</DELETED>
<DELETED>    ``(a) Reports to Congress.--Not later than 1 year after 
the date of enactment of this section, and annually thereafter, the 
Director shall submit to the Committee on Oversight and Reform of the 
House of Representatives and the Committee on Homeland Security and 
Governmental Affairs of the Senate a report that includes the 
following:</DELETED>
        <DELETED>    ``(1) During the preceding year, the status, 
        efficiency, and effectiveness of the General Services 
        Administration under section 3609 and agencies under section 
        3612 and in supporting the speed, effectiveness, sharing, 
        reuse, and security of authorizations to operate for cloud 
        computing products and services.</DELETED>
        <DELETED>    ``(2) Progress towards meeting the metrics 
        required under section 3609(d).</DELETED>
        <DELETED>    ``(3) Data on FedRAMP authorizations.</DELETED>
        <DELETED>    ``(4) The average length of time to issue FedRAMP 
        authorizations.</DELETED>
        <DELETED>    ``(5) The number of FedRAMP authorizations 
        submitted, issued, and denied for the preceding year.</DELETED>
        <DELETED>    ``(6) A review of progress made during the 
        preceding year in advancing automation techniques to securely 
        automate FedRAMP processes and to accelerate reporting under 
        this section.</DELETED>
        <DELETED>    ``(7) The number and characteristics of authorized 
        cloud computing products and services in use at each agency 
        consistent with guidance provided by the Director under section 
        3613.</DELETED>
<DELETED>    ``(b) GAO Report.--Not later than 180 days after the date 
of enactment of this section, the Comptroller General of the United 
States shall publish a report that includes an assessment of the 
following:</DELETED>
        <DELETED>    ``(1) The costs incurred by agencies and cloud 
        service providers relating to the issuance of FedRAMP 
        authorizations.</DELETED>
        <DELETED>    ``(2) The extent to which agencies have processes 
        in place to continuously monitor cloud computing products and 
        services operating as Federal information systems.</DELETED>
        <DELETED>    ``(3) How often and for which categories of 
        products agencies use FedRAMP authorizations.</DELETED>
        <DELETED>    ``(4) The unique costs and potential burdens 
        incurred by cloud computing companies that are small business 
        concerns (as defined in section 3(a) of the Small Business Act 
        (15 U.S.C. 632(a))) as a part of the FedRAMP authorization 
        process.</DELETED>
<DELETED>``Sec. 3616. Federal Secure Cloud Advisory Committee</DELETED>
<DELETED>    ``(a) Establishment, Purposes, and Duties.--</DELETED>
        <DELETED>    ``(1) Establishment.--There is established a 
        Federal Secure Cloud Advisory Committee (referred to in this 
        section as the `Committee') to ensure effective and ongoing 
        coordination of agency adoption, use, authorization, 
        monitoring, acquisition, and security of cloud computing 
        products and services to enable agency mission and 
        administrative priorities.</DELETED>
        <DELETED>    ``(2) Purposes.--The purposes of the Committee are 
        the following:</DELETED>
                <DELETED>    ``(A) To examine the operations of FedRAMP 
                and determine ways that authorization processes can 
                continuously be improved, including the 
                following:</DELETED>
                        <DELETED>    ``(i) Measures to increase agency 
                        reuse of FedRAMP authorizations.</DELETED>
                        <DELETED>    ``(ii) Proposed actions that can 
                        be adopted to reduce the burden, confusion, and 
                        cost associated with FedRAMP authorizations for 
                        cloud service providers.</DELETED>
                        <DELETED>    ``(iii) Measures to increase the 
                        number of FedRAMP authorizations for cloud 
                        computing services offered by small businesses 
                        concerns (as defined by section 3(a) of the 
                        Small Business Act (15 U.S.C. 
                        632(a))).</DELETED>
                        <DELETED>    ``(iv) Proposed actions that can 
                        be adopted to reduce the burden and cost of 
                        FedRAMP authorizations for agencies.</DELETED>
                <DELETED>    ``(B) Collect information and feedback on 
                agency compliance with and implementation of FedRAMP 
                requirements.</DELETED>
                <DELETED>    ``(C) Serve as a forum that facilitates 
                communication and collaboration among the FedRAMP 
                stakeholder community.</DELETED>
        <DELETED>    ``(3) Duties.--The duties of the Committee include 
        providing advice and recommendations to the Administrator of 
        General Services, the FedRAMP Board, and agencies on technical, 
        financial, programmatic, and operational matters regarding 
        secure adoption of cloud computing products and 
        services.</DELETED>
<DELETED>    ``(b) Members.--</DELETED>
        <DELETED>    ``(1) Composition.--The Committee shall be 
        comprised of not more than 15 members who are qualified 
        representatives from the public and private sectors, appointed 
        by the Administrator of General Services, in consultation with 
        the Director, as follows:</DELETED>
                <DELETED>    ``(A) The Administrator of General 
                Services or the Administrator of General Services's 
                designee, who shall be the Chair of the 
                Committee.</DELETED>
                <DELETED>    ``(B) At least 1 representative each from 
                the Cybersecurity and Infrastructure Security Agency 
                and the National Institute of Standards and 
                Technology.</DELETED>
                <DELETED>    ``(C) At least 2 officials who serve as 
                the Chief Information Security Officer within an 
                agency, who shall be required to maintain such a 
                position throughout the duration of their service on 
                the Committee.</DELETED>
                <DELETED>    ``(D) At least 1 official serving as Chief 
                Procurement Officer (or equivalent) in an agency, who 
                shall be required to maintain such a position 
                throughout the duration of their service on the 
                Committee.</DELETED>
                <DELETED>    ``(E) At least 1 individual representing 
                an independent assessment organization.</DELETED>
                <DELETED>    ``(F) No fewer than 5 representatives from 
                unique businesses that primarily provide cloud 
                computing services or products, including at least two 
                representatives from a small business concern (as 
                defined by section 3(a) of the Small Business Act (15 
                U.S.C. 632(a))).</DELETED>
                <DELETED>    ``(G) At least 2 other representatives of 
                the Federal Government as the Administrator of General 
                Services determines necessary to provide sufficient 
                balance, insights, or expertise to the 
                Committee.</DELETED>
        <DELETED>    ``(2) Deadline for appointment.--Each member of 
        the Committee shall be appointed not later than 90 days after 
        the date of enactment of this section.</DELETED>
        <DELETED>    ``(3) Period of appointment; vacancies.--
        </DELETED>
                <DELETED>    ``(A) In general.--Each non-Federal member 
                of the Committee shall be appointed for a term of 3 
                years, except that the initial terms for members may be 
                staggered 1-, 2-, or 3-year terms to establish a 
                rotation in which one-third of the members are selected 
                each year. Any such member may be appointed for not 
                more than 2 consecutive terms.</DELETED>
                <DELETED>    ``(B) Vacancies.--Any vacancy in the 
                Committee shall not affect its powers, but shall be 
                filled in the same manner in which the original 
                appointment was made. Any member appointed to fill a 
                vacancy occurring before the expiration of the term for 
                which the member's predecessor was appointed shall be 
                appointed only for the remainder of that term. A member 
                may serve after the expiration of that member's term 
                until a successor has taken office.</DELETED>
<DELETED>    ``(c) Meetings and Rules of Procedures.--</DELETED>
        <DELETED>    ``(1) Meetings.--The Committee shall hold not 
        fewer than 3 meetings in a calendar year, at such time and 
        place as determined by the Chair.</DELETED>
        <DELETED>    ``(2) Initial meeting.--Not later than 120 days 
        after the date of enactment of this section, the Committee 
        shall meet and begin the operations of the Committee.</DELETED>
        <DELETED>    ``(3) Rules of procedure.--The Committee may 
        establish rules for the conduct of the business of the 
        Committee if such rules are not inconsistent with this section 
        or other applicable law.</DELETED>
<DELETED>    ``(d) Employee Status.--</DELETED>
        <DELETED>    ``(1) In general.--A member of the Committee 
        (other than a member who is appointed to the Committee in 
        connection with another Federal appointment) shall not be 
        considered an employee of the Federal Government by reason of 
        any service as such a member, except for the purposes of 
        section 5703 of title 5, relating to travel expenses.</DELETED>
        <DELETED>    ``(2) Pay not permitted.--A member of the 
        Committee covered by paragraph (1) may not receive pay by 
        reason of service on the Committee.</DELETED>
<DELETED>    ``(e) Applicability to the Federal Advisory Committee 
Act.--Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) 
shall not apply to the Committee.</DELETED>
<DELETED>    ``(f) Detail of Employees.--Any Federal Government 
employee may be detailed to the Committee without reimbursement from 
the Committee, and such detailee shall retain the rights, status, and 
privileges of his or her regular employment without 
interruption.</DELETED>
<DELETED>    ``(g) Postal Services.--The Committee may use the United 
States mails in the same manner and under the same conditions as 
agencies.</DELETED>
<DELETED>    ``(h) Reports.--</DELETED>
        <DELETED>    ``(1) Interim reports.--The Committee may submit 
        to the Administrator of General Services and Congress interim 
        reports containing such findings, conclusions, and 
        recommendations as have been agreed to by the 
        Committee.</DELETED>
        <DELETED>    ``(2) Annual reports.--Not later than 540 days 
        after the date of enactment of this section, and annually 
        thereafter, the Committee shall submit to the Administrator of 
        General Services and Congress a final report containing such 
        findings, conclusions, and recommendations as have been agreed 
        to by the Committee.''.</DELETED>
<DELETED>    (b) Technical and Conforming Amendment.--The table of 
sections for chapter 36 of title 44, United States Code, is amended by 
adding at the end the following new items:</DELETED>

<DELETED>``3607. Definitions.
<DELETED>``3608. Federal Risk and Authorization Management Program.
<DELETED>``3609. Roles and responsibilities of the General Services 
                            Administration.
<DELETED>``3610. FedRAMP Board.
<DELETED>``3611. Independent assessment organizations.
<DELETED>``3612. Roles and responsibilities of agencies.
<DELETED>``3613. Roles and responsibilities of the Office of Management 
                            and Budget.
<DELETED>``3614. Authorization of appropriations for FedRAMP.
<DELETED>``3615. Reports to congress; GAO report.
<DELETED>``3616. Federal Secure Cloud Advisory Committee.''.
<DELETED>    (c) Sunset.--</DELETED>
        <DELETED>    (1) In general.--Effective on the date that is 5 
        years after the date of enactment of this Act, chapter 36 of 
        title 44, United States Code, is amended by striking sections 
        3607 through 3616.</DELETED>
        <DELETED>    (2) Conforming amendment.--Effective on the date 
        that is 5 years after the date of enactment of this Act, the 
        table of sections for chapter 36 of title 44, United States 
        Code, is amended by striking the items relating to sections 
        3607 through 3616.</DELETED>
<DELETED>    (d) Rule of Construction.--Nothing in this section or any 
amendment made by this section shall be construed as altering or 
impairing the authorities of the Director of the Office of Management 
and Budget or the Secretary of Homeland Security under subchapter II of 
chapter 35 of title 44, United States Code.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Secure Cloud Improvement and 
Jobs Act of 2021''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) Ensuring that the Federal Government can securely 
        leverage cloud computing products and services is key to 
        expediting the modernization of legacy information technology 
        systems, increasing cybersecurity within and across departments 
        and agencies, and supporting the continued leadership of the 
        United States in technology innovation and job creation.
            (2) According to independent analysis, as of calendar year 
        2019, the size of the cloud computing market had tripled since 
        2004, enabling more than 2,000,000 jobs and adding more than 
        $200,000,000,000 to the gross domestic product of the United 
        States.
            (3) The Federal Government, across multiple presidential 
        administrations and Congresses, has continued to support the 
        ability of agencies to move to the cloud, including through--
                    (A) President Barack Obama's ``Cloud First 
                Strategy'';
                    (B) President Donald Trump's ``Cloud Smart 
                Strategy'';
                    (C) the prioritization of cloud security in 
                Executive Order 14028 (86 Fed. Reg. 26633; relating to 
                improving the nation's cybersecurity), which was issued 
                by President Joe Biden; and
                    (D) more than a decade of appropriations and 
                authorization legislation that provides agencies with 
                relevant authorities and appropriations to modernize 
                on-premises information technology systems and more 
                readily adopt cloud computing products and services.
            (4) Since it was created in 2011, the Federal Risk and 
        Authorization Management Program (referred to in this section 
        as ``FedRAMP'') at the General Services Administration has made 
        steady and sustained improvements in supporting the secure 
        authorization and reuse of cloud computing products and 
        services within the Federal Government, including by reducing 
        the costs and burdens on both agencies and cloud companies to 
        quickly and securely enter the Federal market.
            (5) According to data from the General Services 
        Administration, as of the end of fiscal year 2021, there were 
        239 cloud providers with FedRAMP authorizations, and those 
        authorizations had been reused more than 2,700 times across 
        various agencies.
            (6) Providing a legislative framework for FedRAMP and new 
        authorities to the General Services Administration, the Office 
        of Management and Budget, and Federal agencies will--
                    (A) improve the speed at which new cloud computing 
                products and services can be securely authorized;
                    (B) enhance the ability of agencies to effectively 
                evaluate FedRAMP authorized providers for reuse;
                    (C) reduce the costs and burdens to cloud providers 
                seeking a FedRAMP authorization; and
                    (D) provide for more robust transparency and 
                dialogue between industry and the Federal Government to 
                drive stronger adoption of secure cloud capabilities, 
                create jobs, and reduce wasteful legacy information 
                technology.

SEC. 3. TITLE 44 AMENDMENTS.

    (a) Amendment.--Chapter 36 of title 44, United States Code, is 
amended by adding at the end the following:
``Sec. 3607. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under sections 3502 and 3552 apply to this section through 
section 3616.
    ``(b) Additional Definitions.--In this section through section 
3616:
            ``(1) Administrator.--The term `Administrator' means the 
        Administrator of General Services.
            ``(2) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Oversight and Reform of the House of 
        Representatives.
            ``(3) Authorization to operate; federal information.--The 
        terms `authorization to operate' and `Federal information' have 
        the meaning given those term in Circular A-130 of the Office of 
        Management and Budget entitled `Managing Information as a 
        Strategic Resource', or any successor document.
            ``(4) Cloud computing.--The term `cloud computing' has the 
        meaning given the term in Special Publication 800-145 of the 
        National Institute of Standards and Technology, or any 
        successor document.
            ``(5) Cloud service provider.--The term `cloud service 
        provider' means an entity offering cloud computing products or 
        services to agencies.
            ``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk 
        and Authorization Management Program established under section 
        3608.
            ``(7) FedRAMP authorization.--The term `FedRAMP 
        authorization' means a certification that a cloud computing 
        product or service has--
                    ``(A) completed a FedRAMP authorization process, as 
                determined by the Administrator; or
                    ``(B) received a FedRAMP provisional authorization 
                to operate, as determined by the FedRAMP Board.
            ``(8) Fedramp authorization package.--The term `FedRAMP 
        authorization package' means the essential information that can 
        be used by an agency to determine whether to authorize the 
        operation of an information system or the use of a designated 
        set of common controls for all cloud computing products and 
        services authorized by FedRAMP.
            ``(9) FedRAMP board.--The term `FedRAMP Board' means the 
        board established under section 3610.
            ``(10) Independent assessment service.--The term 
        `independent assessment service' means a third-party 
        organization accredited by the Administrator to undertake 
        conformity assessments of cloud service providers and the 
        products or services of cloud service providers.
            ``(11) Secretary.--The term `Secretary' means the Secretary 
        of Homeland Security.
``Sec. 3608. Federal Risk and Authorization Management Program
    ``There is established within the General Services Administration 
the Federal Risk and Authorization Management Program. The 
Administrator, subject to section 3614, shall establish a Government-
wide program that provides a standardized, reusable approach to 
security assessment and authorization for cloud computing products and 
services that process unclassified information used by agencies.
``Sec. 3609. Roles and responsibilities of the General Services 
              Administration
    ``(a) Roles and Responsibilities.--The Administrator shall--
            ``(1) in consultation with the Secretary, develop, 
        coordinate, and implement a process to support agency review, 
        reuse, and standardization, where appropriate, of security 
        assessments of cloud computing products and services, 
        including, as appropriate, oversight of continuous monitoring 
        of cloud computing products and services, pursuant to guidance 
        issued by the Director pursuant to section 3614;
            ``(2) establish processes and identify criteria consistent 
        with guidance issued by the Director under section 3614 to make 
        a cloud computing product or service eligible for a FedRAMP 
        authorization and validate whether a cloud computing product or 
        service has a FedRAMP authorization;
            ``(3) develop and publish templates, best practices, 
        technical assistance, and other materials to support the 
        authorization of cloud computing products and services and 
        increase the speed, effectiveness, and transparency of the 
        authorization process, consistent with standards and guidelines 
        established by the Director of the National Institute of 
        Standards and Technology and relevant statutes;
            ``(4) establish and update guidance on the boundaries of 
        FedRAMP authorization packages to enhance the security and 
        protection of Federal information and promote transparency for 
        agencies and users as to which services are included in the 
        scope of a FedRAMP authorization;
            ``(5) grant FedRAMP authorizations to cloud computing 
        products and services consistent with the guidance and 
        direction of the FedRAMP Board;
            ``(6) establish and maintain a public comment process for 
        proposed guidance and other FedRAMP directives that may have a 
        direct impact on cloud service providers and agencies before 
        the issuance of such guidance or other FedRAMP directives;
            ``(7) coordinate with the FedRAMP Board, the Director of 
        the Cybersecurity and Infrastructure Security Agency, and other 
        entities identified by the Administrator, with the concurrence 
        of the Director and the Secretary, to establish and regularly 
        update a framework for continuous monitoring under section 
        3553;
            ``(8) provide a secure mechanism for storing and sharing 
        necessary data, including FedRAMP authorization packages, to 
        enable better reuse of such packages across agencies, including 
        making available any information and data necessary for 
        agencies to fulfill the requirements of section 3613;
            ``(9) provide regular updates to applicant cloud service 
        providers on the status of any cloud computing product or 
        service during an assessment process;
            ``(10) regularly review, in consultation with the FedRAMP 
        Board--
                    ``(A) the costs associated with the independent 
                assessment services described in section 3611; and
                    ``(B) the information relating to foreign interests 
                submitted pursuant to section 3612;
            ``(11) in coordination with the Director of the National 
        Institute of Standards and Technology, the Director, the 
        Secretary, and other stakeholders, as appropriate, determine 
        the sufficiency of underlying standards and requirements to 
        identify and assess the provenance of the software in cloud 
        services and products;
            ``(12) support the Federal Secure Cloud Advisory Committee 
        established pursuant to section 3616; and
            ``(13) take such other actions as the Administrator may 
        determine necessary to carry out FedRAMP.
    ``(b) Website.--
            ``(1) In general.--The Administrator shall maintain a 
        public website to serve as the authoritative repository for 
        FedRAMP, including the timely publication and updates for all 
        relevant information, guidance, determinations, and other 
        materials required under subsection (a).
            ``(2) Criteria and process for fedramp authorization 
        priorities.--The Administrator shall develop and make publicly 
        available on the website described in paragraph (1) the 
        criteria and process for prioritizing and selecting cloud 
        computing products and services that will receive a FedRAMP 
        authorization, in consultation with the FedRAMP Board and the 
        Chief Information Officers Council.
    ``(c) Evaluation of Automation Procedures.--
            ``(1) In general.--The Administrator, in coordination with 
        the Secretary, shall assess and evaluate available automation 
        capabilities and procedures to improve the efficiency and 
        effectiveness of the issuance of FedRAMP authorizations, 
        including continuous monitoring of cloud computing products and 
        services.
            ``(2) Means for automation.--Not later than 1 year after 
        the date of enactment of this section, and updated regularly 
        thereafter, the Administrator shall establish a means for the 
        automation of security assessments and reviews.
    ``(d) Metrics for Authorization.--The Administrator shall establish 
annual metrics regarding the time and quality of the assessments 
necessary for completion of a FedRAMP authorization process in a manner 
that can be consistently tracked over time in conjunction with the 
periodic testing and evaluation process pursuant to section 3554 in a 
manner that minimizes the agency reporting burden.
``Sec. 3610. FedRAMP Board
    ``(a) Establishment.--There is established a FedRAMP Board to 
provide input and recommendations to the Administrator regarding the 
requirements and guidelines for, and the prioritization of, security 
assessments of cloud computing products and services.
    ``(b) Membership.--The FedRAMP Board shall consist of not more than 
7 senior officials or experts from agencies appointed by the Director, 
in consultation with the Administrator, from each of the following:
            ``(1) The Department of Defense.
            ``(2) The Department of Homeland Security.
            ``(3) The General Services Administration.
            ``(4) Such other agencies as determined by the Director, in 
        consultation with the Administrator.
    ``(c) Qualifications.--Members of the FedRAMP Board appointed under 
subsection (b) shall have technical expertise in domains relevant to 
FedRAMP, such as--
            ``(1) cloud computing;
            ``(2) cybersecurity;
            ``(3) privacy;
            ``(4) risk management; and
            ``(5) other competencies identified by the Director to 
        support the secure authorization of cloud services and 
        products.
    ``(d) Duties.--The FedRAMP Board shall--
            ``(1) in consultation with the Administrator, serve as a 
        resource for best practices to accelerate the process for 
        obtaining a FedRAMP authorization;
            ``(2) establish and regularly update requirements and 
        guidelines for security authorizations of cloud computing 
        products and services, consistent with standards and guidelines 
        established by the Director of the National Institute of 
        Standards and Technology, to be used in the determination of 
        FedRAMP authorizations;
            ``(3) monitor and oversee, to the greatest extent 
        practicable, the processes and procedures by which agencies 
        determine and validate requirements for a FedRAMP 
        authorization, including periodic review of the agency 
        determinations described in section 3613(b);
            ``(4) ensure consistency and transparency between agencies 
        and cloud service providers in a manner that minimizes 
        confusion and engenders trust; and
            ``(5) perform such other roles and responsibilities as the 
        Director may assign, with concurrence from the Administrator.
    ``(e) Determinations of Demand for Cloud Computing Products and 
Services.--The FedRAMP Board may consult with the Chief Information 
Officers Council to establish a process, which may be made available on 
the website maintained under section 3609(b), for prioritizing and 
accepting the cloud computing products and services to be granted a 
FedRAMP authorization.
``Sec. 3611. Independent assessment
    ``The Administrator may determine whether FedRAMP may use an 
independent assessment service to analyze, validate, and attest to the 
quality and compliance of security assessment materials provided by 
cloud service providers during the course of a determination of whether 
to use a cloud computing product or service.
``Sec. 3612. Declaration of foreign interests
    ``(a) In General.--An independent assessment service that performs 
services described in section 3611 shall annually submit to the 
Administrator information relating to any foreign interest, foreign 
influence, or foreign control of the independent assessment service.
    ``(b) Updates.--Not later than 48 hours after there is a change in 
foreign ownership or control of an independent assessment service that 
performs services described in section 3611, the independent assessment 
service shall submit to the Administrator an update to the information 
submitted under subsection (a).
    ``(c) Certification.--The Administrator may require a 
representative of an independent assessment service to certify the 
accuracy and completeness of any information submitted under this 
section.
``Sec. 3613. Roles and responsibilities of agencies
    ``(a) In General.--In implementing the requirements of FedRAMP, the 
head of each agency shall, consistent with guidance issued by the 
Director pursuant to section 3614--
            ``(1) promote the use of cloud computing products and 
        services that meet FedRAMP security requirements and other 
        risk-based performance requirements as determined by the 
        Director, in consultation with the Secretary;
            ``(2) confirm whether there is a FedRAMP authorization in 
        the secure mechanism provided under section 3609(a)(8) before 
        beginning the process of granting a FedRAMP authorization for a 
        cloud computing product or service;
            ``(3) to the extent practicable, for any cloud computing 
        product or service the agency seeks to authorize that has 
        received a FedRAMP authorization, use the existing assessments 
        of security controls and materials within any FedRAMP 
        authorization package for that cloud computing product or 
        service; and
            ``(4) provide to the Director data and information required 
        by the Director pursuant to section 3614 to determine how 
        agencies are meeting metrics established by the Administrator.
    ``(b) Attestation.--Upon completing an assessment or authorization 
activity with respect to a particular cloud computing product or 
service, if an agency determines that the information and data the 
agency has reviewed under paragraph (2) or (3) of subsection (a) is 
wholly or substantially deficient for the purposes of performing an 
authorization of the cloud computing product or service, the head of 
the agency shall document as part of the resulting FedRAMP 
authorization package the reasons for this determination.
    ``(c) Submission of Authorizations to Operate Required.--Upon 
issuance of an agency authorization to operate based on a FedRAMP 
authorization, the head of the agency shall provide a copy of its 
authorization to operate letter and any supplementary information 
required pursuant to section 3609(a) to the Administrator.
    ``(d) Submission of Policies Required.--Not later than 180 days 
after the date on which the Director issues guidance in accordance with 
section 3614(1), the head of each agency, acting through the chief 
information officer of the agency, shall submit to the Director all 
agency policies relating to the authorization of cloud computing 
products and services.
    ``(e) Presumption of Adequacy.--
            ``(1) In general.--The assessment of security controls and 
        materials within the authorization package for a FedRAMP 
        authorization shall be presumed adequate for use in an agency 
        authorization to operate cloud computing products and services.
            ``(2) Information security requirements.--The presumption 
        under paragraph (1) does not modify or alter--
                    ``(A) the responsibility of any agency to ensure 
                compliance with subchapter II of chapter 35 for any 
                cloud computing product or service used by the agency; 
                or
                    ``(B) the authority of the head of any agency to 
                make a determination that there is a demonstrable need 
                for additional security requirements beyond the 
                security requirements included in a FedRAMP 
                authorization for a particular control implementation.
``Sec. 3614. Roles and responsibilities of the Office of Management and 
              Budget
    ``The Director shall--
            ``(1) in consultation with the Administrator and the 
        Secretary, issue guidance that--
                    ``(A) specifies the categories or characteristics 
                of cloud computing products and services that are 
                within the scope of FedRAMP;
                    ``(B) includes requirements for agencies to obtain 
                a FedRAMP authorization when operating a cloud 
                computing product or service described in subparagraph 
                (A) as a Federal information system; and
                    ``(C) encompasses, to the greatest extent 
                practicable, all necessary and appropriate cloud 
                computing products and services;
            ``(2) issue guidance describing additional responsibilities 
        of FedRAMP and the FedRAMP Board to accelerate the adoption of 
        secure cloud computing products and services by the Federal 
        Government;
            ``(3) in consultation with the Administrator, establish a 
        process to periodically review FedRAMP authorization packages 
        to support the secure authorization and reuse of secure cloud 
        products and services;
            ``(4) oversee the effectiveness of FedRAMP and the FedRAMP 
        Board, including the compliance by the FedRAMP Board with the 
        duties described in section 3610(d); and
            ``(5) to the greatest extent practicable, encourage and 
        promote consistency of the assessment, authorization, adoption, 
        and use of secure cloud computing products and services within 
        and across agencies.
``Sec. 3615. Reports to Congress; GAO report
    ``(a) Reports to Congress.--Not later than 1 year after the date of 
enactment of this section, and annually thereafter, the Director shall 
submit to the appropriate congressional committees a report that 
includes the following:
            ``(1) During the preceding year, the status, efficiency, 
        and effectiveness of the General Services Administration under 
        section 3609 and agencies under section 3613 and in supporting 
        the speed, effectiveness, sharing, reuse, and security of 
        authorizations to operate for secure cloud computing products 
        and services.
            ``(2) Progress towards meeting the metrics required under 
        section 3609(d).
            ``(3) Data on FedRAMP authorizations.
            ``(4) The average length of time to issue FedRAMP 
        authorizations.
            ``(5) The number of FedRAMP authorizations submitted, 
        issued, and denied for the preceding year.
            ``(6) A review of progress made during the preceding year 
        in advancing automation techniques to securely automate FedRAMP 
        processes and to accelerate reporting under this section.
            ``(7) The number and characteristics of authorized cloud 
        computing products and services in use at each agency 
        consistent with guidance provided by the Director under section 
        3614.
            ``(8) A review of FedRAMP measures to ensure the security 
        of data stored or processed by cloud service providers, which 
        may include--
                    ``(A) geolocation restrictions for provided 
                products or services;
                    ``(B) disclosures of foreign elements of supply 
                chains of acquired products or services;
                    ``(C) continued disclosures of ownership of cloud 
                service providers by foreign entities; and
                    ``(D) encryption for data processed, stored, or 
                transmitted by cloud service providers.
    ``(b) GAO Report.--Not later than 180 days after the date of 
enactment of this section, the Comptroller General of the United States 
shall report to the appropriate congressional committees an assessment 
of the following:
            ``(1) The costs incurred by agencies and cloud service 
        providers relating to the issuance of FedRAMP authorizations.
            ``(2) The extent to which agencies have processes in place 
        to continuously monitor the implementation of cloud computing 
        products and services operating as Federal information systems.
            ``(3) How often and for which categories of products and 
        services agencies use FedRAMP authorizations.
            ``(4) The unique costs and potential burdens incurred by 
        cloud computing companies that are small business concerns (as 
        defined in section 3(a) of the Small Business Act (15 U.S.C. 
        632(a)) as a part of the FedRAMP authorization process.
``Sec. 3616. Federal Secure Cloud Advisory Committee
    ``(a) Establishment, Purposes, and Duties.--
            ``(1) Establishment.--There is established a Federal Secure 
        Cloud Advisory Committee (referred to in this section as the 
        `Committee') to ensure effective and ongoing coordination of 
        agency adoption, use, authorization, monitoring, acquisition, 
        and security of cloud computing products and services to enable 
        agency mission and administrative priorities.
            ``(2) Purposes.--The purposes of the Committee are the 
        following:
                    ``(A) To examine the operations of FedRAMP and 
                determine ways that authorization processes can 
                continuously be improved, including the following:
                            ``(i) Measures to increase agency reuse of 
                        FedRAMP authorizations.
                            ``(ii) Proposed actions that can be adopted 
                        to reduce the burden, confusion, and cost 
                        associated with FedRAMP authorizations for 
                        cloud service providers.
                            ``(iii) Measures to increase the number of 
                        FedRAMP authorizations for cloud computing 
                        products and services offered by small 
                        businesses concerns (as defined by section 3(a) 
                        of the Small Business Act (15 U.S.C. 632(a)).
                            ``(iv) Proposed actions that can be adopted 
                        to reduce the burden and cost of FedRAMP 
                        authorizations for agencies.
                    ``(B) Collect information and feedback on agency 
                compliance with and implementation of FedRAMP 
                requirements.
                    ``(C) Serve as a forum that facilitates 
                communication and collaboration among the FedRAMP 
                stakeholder community.
            ``(3) Duties.--The duties of the Committee include 
        providing advice and recommendations to the Administrator, the 
        FedRAMP Board, and agencies on technical, financial, 
        programmatic, and operational matters regarding secure adoption 
        of cloud computing products and services.
    ``(b) Members.--
            ``(1) Composition.--The Committee shall be comprised of not 
        more than 15 members who are qualified representatives from the 
        public and private sectors, appointed by the Administrator, in 
        consultation with the Director, as follows:
                    ``(A) The Administrator or the Administrator's 
                designee, who shall be the Chair of the Committee.
                    ``(B) At least 1 representative each from the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Institute of Standards and Technology.
                    ``(C) At least 2 officials who serve as the Chief 
                Information Security Officer within an agency, who 
                shall be required to maintain such a position 
                throughout the duration of their service on the 
                Committee.
                    ``(D) At least 1 official serving as Chief 
                Procurement Officer (or equivalent) in an agency, who 
                shall be required to maintain such a position 
                throughout the duration of their service on the 
                Committee.
                    ``(E) At least 1 individual representing an 
                independent assessment service.
                    ``(F) At least 5 representatives from unique 
                businesses that primarily provide cloud computing 
                services or products, including at least 2 
                representatives from a small business concern (as 
                defined by section 3(a) of the Small Business Act (15 
                U.S.C. 632(a))).
                    ``(G) At least 2 other representatives of the 
                Federal Government as the Administrator determines 
                necessary to provide sufficient balance, insights, or 
                expertise to the Committee.
            ``(2) Deadline for appointment.--Each member of the 
        Committee shall be appointed not later than 90 days after the 
        date of enactment of this section.
            ``(3) Period of appointment; vacancies.--
                    ``(A) In general.--Each non-Federal member of the 
                Committee shall be appointed for a term of 3 years, 
                except that the initial terms for members may be 
                staggered 1-, 2-, or 3-year terms to establish a 
                rotation in which one-third of the members are selected 
                each year. Any such member may be appointed for not 
                more than 2 consecutive terms.
                    ``(B) Vacancies.--Any vacancy in the Committee 
                shall not affect its powers, but shall be filled in the 
                same manner in which the original appointment was made. 
                Any member appointed to fill a vacancy occurring before 
                the expiration of the term for which the member's 
                predecessor was appointed shall be appointed only for 
                the remainder of that term. A member may serve after 
                the expiration of that member's term until a successor 
                has taken office.
    ``(c) Meetings and Rules of Procedures.--
            ``(1) Meetings.--The Committee shall hold not fewer than 3 
        meetings in a calendar year, at such time and place as 
        determined by the Chair.
            ``(2) Initial meeting.--Not later than 120 days after the 
        date of enactment of this section, the Committee shall meet and 
        begin the operations of the Committee.
            ``(3) Rules of procedure.--The Committee may establish 
        rules for the conduct of the business of the Committee if such 
        rules are not inconsistent with this section or other 
        applicable law.
    ``(d) Employee Status.--
            ``(1) In general.--A member of the Committee (other than a 
        member who is appointed to the Committee in connection with 
        another Federal appointment) shall not be considered an 
        employee of the Federal Government by reason of any service as 
        such a member, except for the purposes of section 5703 of title 
        5, relating to travel expenses.
            ``(2) Pay not permitted.--A member of the Committee covered 
        by paragraph (1) may not receive pay by reason of service on 
        the Committee.
    ``(e) Applicability to the Federal Advisory Committee Act.--Section 
14 of the Federal Advisory Committee Act (5 U.S.C. App.) shall not 
apply to the Committee.
    ``(f) Detail of Employees.--Any Federal Government employee may be 
detailed to the Committee without reimbursement from the Committee, and 
such detailee shall retain the rights, status, and privileges of his or 
her regular employment without interruption.
    ``(g) Postal Services.--The Committee may use the United States 
mails in the same manner and under the same conditions as agencies.
    ``(h) Reports.--
            ``(1) Interim reports.--The Committee may submit to the 
        Administrator and Congress interim reports containing such 
        findings, conclusions, and recommendations as have been agreed 
        to by the Committee.
            ``(2) Annual reports.--Not later than 540 days after the 
        date of enactment of this section, and annually thereafter, the 
        Committee shall submit to the Administrator and Congress a 
        report containing such findings, conclusions, and 
        recommendations as have been agreed to by the Committee.''.
    (b) Technical and Conforming Amendment.--The table of sections for 
chapter 36 of title 44, United States Code, is amended by adding at the 
end the following new items:

``3607. Definitions.
``3608. Federal Risk and Authorization Management Program.
``3609. Roles and responsibilities of the General Services 
                            Administration.
``3610. FedRAMP Board.
``3611. Independent assessment.
``3612. Declaration of foreign interests.
``3613. Roles and responsibilities of agencies.
``3614. Roles and responsibilities of the Office of Management and 
                            Budget.
``3615. Reports to Congress; GAO report.
``3616. Federal Secure Cloud Advisory Committee.''.
    (c) Sunset.--
            (1) In general.--Effective on the date that is 5 years 
        after the date of enactment of this Act, chapter 36 of title 
        44, United States Code, is amended by striking sections 3607 
        through 3616.
            (2) Conforming amendment.--Effective on the date that is 5 
        years after the date of enactment of this Act, the table of 
        sections for chapter 36 of title 44, United States Code, is 
        amended by striking the items relating to sections 3607 through 
        3616.
    (d) Rule of Construction.--Nothing in this section or any amendment 
made by this section shall be construed as altering or impairing the 
authorities of the Director of the Office of Management and Budget or 
the Secretary of Homeland Security under subchapter II of chapter 35 of 
title 44, United States Code.
                                                       Calendar No. 383

117th CONGRESS

  2d Session

                                S. 3099

                          [Report No. 117-115]

_______________________________________________________________________

                                 A BILL

 To amend title 44, United States Code, to establish the Federal Risk 
   and Authorization Management Program within the General Services 
                Administration, and for other purposes.

_______________________________________________________________________

                              May 24, 2022

                       Reported with an amendment