[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


      TO THE CLOUD! THE CLOUDY ROLE OF FEDRAMP IN IT MODERNIZATION

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                               AND REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION
                               __________

                             JULY 17, 2019
                               __________

                           Serial No. 116-48
                               __________

      Printed for the use of the Committee on Oversight and Reform
      

                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                  
                  
                  Available on: http://www.govinfo.gov
                    http://www.oversight.house.gov or
                        http://www.docs.house.gov
                        
                        
                              ___________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
37-585 PDF                 WASHINGTON : 2019                          
                        
                        
                        
                   COMMITTEE ON OVERSIGHT AND REFORM

                 ELIJAH E. CUMMINGS, Maryland, Chairman

Carolyn B. Maloney, New York         Jim Jordan, Ohio, Ranking Minority 
Eleanor Holmes Norton, District of       Member
    Columbia                         Paul A. Gosar, Arizona
Wm. Lacy Clay, Missouri              Virginia Foxx, North Carolina
Stephen F. Lynch, Massachusetts      Thomas Massie, Kentucky
Jim Cooper, Tennessee                Mark Meadows, North Carolina
Gerald E. Connolly, Virginia         Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois        Glenn Grothman, Wisconsin
Jamie Raskin, Maryland               James Comer, Kentucky
Harley Rouda, California             Michael Cloud, Texas
Katie Hill, California               Bob Gibbs, Ohio
Debbie Wasserman Schultz, Florida    Ralph Norman, South Carolina
John P. Sarbanes, Maryland           Clay Higgins, Louisiana
Peter Welch, Vermont                 Chip Roy, Texas
Jackie Speier, California            Carol D. Miller, West Virginia
Robin L. Kelly, Illinois             Mark E. Green, Tennessee
Mark DeSaulnier, California          Kelly Armstrong, North Dakota
Brenda L. Lawrence, Michigan         W. Gregory Steube, Florida
Stacey E. Plaskett, Virgin Islands   Fred Keller, Pennsylvania
Ro Khanna, California
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan

                     David Rapallo, Staff Director
              Wendy Ginsberg, Subcommittee Staff Director
                          Joshua Zucker, Clerk

               Christopher Hixon, Minority Staff Director

                      Contact Number: 202-225-5051
                                 ------                                

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Mark Meadows, North Carolina, 
    Columbia,                            Ranking Minority Member
John P. Sarbanes, Maryland           Thomas Massie, Kentucky
Jackie Speier, California            Jody Hice, Georgia
Brenda L. Lawrence, Michigan         Glenn Grothman, Wisconsin
Stacey E. Plaskett, Virgin Islands   James Comer, Kentucky
Ro Khanna, California                Ralph Norman, South Carolina
Stephen F. Lynch, Massachsetts       W. Gregory Steube, Florida
Jamie Raskin, Maryland



                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on July 17, 2019....................................     1

                               Witnesses

Panel I
Anil Cheriyan, Director, Technology Transformation Services 
  General Services Administration
Oral Statement...................................................     4
Jack Wilmer, Deputy Chief Information Officer, Cybersecurity, 
  U.S. Department of Defense
Oral Statement...................................................     6
Joseph Klimavicz, Deputy Assistant Attorney General and Chief 
  Information Officer, U.S. Department of Justice
Oral Statement...................................................     7
Jose Arrieta, Chief Information Officer, U.S. Department of 
  Health and Human Services
Oral Statement...................................................     9
Panel II
Douglas Barbin, Principal, Schellman & Company, LLC
Oral Statement...................................................    22
Jonathan Berroya, Senior Vice President and General Counsel, 
  Internet Association
Oral Statement...................................................    24
Will Ackerly, Chief Technology Officer, Virtru
Oral Statement...................................................    25
Lynn Martin, Vice President of Government, Education, and 
  Healthcare, VMware
Oral Statement...................................................    27
The written openning statement and the witnesses' written 
  statements are available on the U.S. House of Representatives 
  Repository at: https://docs.house.gov.

                           Index of Documents

                              ----------                              

The documents listed below are available at: https://
  docs.house.gov.

  * QFR's: from Chairman Connolly.

  * QFR's: from Rep. Meadows.

  * QFR Responses from: Will Ackerly, Chief Technology Officer, 
  Virtu; Douglas Barbin, Princeipal, Schellman & Company, LLC; 
  Jack Wilmer, Deputy Chief Information Officer, U.S. Department 
  of Defense; Lynn Martin, Vice President of Government, 
  Education, and Healthcare.

 
      TO THE CLOUD! THE CLOUDY ROLE OF FEDRAMP IN IT MODERNIZATION

                              ----------                              


                        Wednesday, July 17, 2019

                   House of Representatives
             Subcommittee on Government Operations,
                          Committee on Oversight and Reform
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 11:11 a.m., in 
room 2154, Rayburn House Office Building, Hon. Gerald E. 
Connolly (chairman of the subcommittee) presiding.
    Present: Representatives Connolly, Norton, Lawrence, 
Khanna, Meadows, Massie, Grothman, and Steube.
    Mr. Connolly. Thank you.
    The subcommittee will come to order. And without objection, 
the chair is authorized to declare a recess of the committee at 
any time.
    The subcommittee is convening regarding the role of FedRAMP 
in IT modernization, with the intention to introduce 
legislation to codify the program. This hearing will inform 
that legislation.
    I now recognize myself for an opening statement.
    I want to welcome everyone here to the hearing on the topic 
of cloud computing, specifically Federal acquisition of secure 
cloud computing services. Cloud computing has the potential to 
help agencies modernize their information technology, while 
saving taxpayers money, by eliminating the cost to the 
government of building, operating, and maintaining those IT 
products themselves.
    The Federal Risk and Authorization Management Program, 
known as FedRAMP, was established in 2011 to provide a 
standardized governmentwide approach to security assessment 
authorization and continuous monitoring of cloud computing 
services. In short, FedRAMP is supposed to reduce the 
redundancies of Federal cloud migration.
    Recognizing the potential of cloud computing, the previous 
administration established FedRAMP with the goals of reducing 
duplicative efforts, inconsistencies, and cost inefficiencies 
with the security authorization process; establishing a 
private-public partnership to promote innovation and the 
advancement of more secure information technologies; using an 
agile and flexible framework that will enable the Federal 
Government to accelerate the adoption of cloud computing; 
creating transparent standards and processes for security 
authorizations; and allowing agencies to leverage security 
authorizations on a governmentwide scale.
    Unfortunately, since the program began, cloud service 
providers, some of whom are our constituents, have expressed 
concerns regarding FedRAMP's efficiency, effectiveness, and 
transparency. These stakeholders have noted that the process to 
become FedRAMP certified can be expensive and time consuming. 
What was supposed to be an expedited process, six months, may 
be costing a quarter of a million dollars, instead, in many 
cases, took years and takes years and can cost companies 
millions of dollars, the very opposite of what FedRAMP was 
designed to achieve.
    In an audit of the FedRAMP program management office's 
goals and objectives, the General Services Administration 
Inspector General found that, while FedRAMP PMO has taken 
action to address some of these concerns, additional action is 
needed to strengthen the PMO to better meet the needs and 
requirements of the program.
    Last month, the Trump administration issued its Federal 
Cloud Computing Strategy called Cloud Smart, which reaffirmed 
the administration's support for FedRAMP. While acknowledging 
that the FedRAMP program management office has made 
improvements to the program and has reduced the amount of time 
it takes to authorize a cloud service provider in most cases, 
the policy also notes there's still a lack of reciprocity 
across agencies in adopting FedRAMP authorizations, which has 
led to significant duplication of effort when assessing the 
security of a cloud service offering.
    The policy also notes that a large number of agency-
specific processes has made it complicated for agencies to 
issue an authorization to operate for cloud services, even when 
a cloud service provider has already been authorized at other 
agencies. And that is a concern the ranking member and I have 
shared for the last two Congresses.
    The Federal Government must do better when it comes to 
acquiring cloud computing technologies. We cannot afford to 
repeat the siloed processes of past IT acquisitions that's led 
to spending $90 billion annually, a large chunk of which is on 
maintaining legacy systems. However, we can't leverage the 
potential of cloud computing if the processes are slower than 
the speed at which the technology itself advances.
    In a report published in April of this year, the GAO 
analyzed IT dashboard data of 16 agencies to evaluate those 
agencies' use of cloud services for fiscal years 2016 through 
2018 and projected use in 2019. In Fiscal Year 2016, those 16 
agencies reported 8 percent of their IT investments, on 
average, used cloud services, with that average projected to 
increase by 11 percent in fiscal 2019. Some agencies, such as 
Social Security and GSA, projected nearly 40 percent of their 
total IT investments would be for cloud computing services, a 
100 percent increase.
    As more of the Federal Government continues to increase its 
investment in cloud computing, I believe we can achieve the 
original goals laid out for FedRAMP. Last year, the ranking 
member, Mr. Meadows, and I introduced legislation to codify the 
program and to enable wider agency reuse of existing 
authorizations to operate. We're working on legislation 
together this year that would maintain those two objectives 
while also helping to improve the program by increasing the use 
of automation and providing for more transparency, all while 
continuing to ensure that cloud computing services are secure 
for use by Federal agencies.
    The bill establishes a presumption of adequacy for those 
security assessments that have been FedRAMP-certified to 
increase agency reuse of authorizations. It requires FedRAMP to 
establish and make public metrics on the length and quality of 
assessments and to report progress toward meeting those metrics 
to Congress. It calls on FedRAMP to find ways to automate the 
process to increase the efficiency of security assessments.
    I hope those are all needed improvements we can agree on, 
and that includes the Trump administration. I don't often say 
it, but I think we're on the same page.
    I want to thank all of our witnesses for coming to today's 
hearing. I look forward to hearing from them about the current 
state of FedRAMP and how the process could be improved and 
about the future of cloud computing in the Federal Government.
    And with that, I call upon my good friend, the 
distinguished ranking member from North Carolina, Mr. Meadows, 
for his opening statement.
    Mr. Meadows. Thank you, Mr. Chairman.
    Thank all of you for being here.
    Mr. Chairman, I just want to highlight your leadership in 
this area and truly how you've worked, not only in a bipartisan 
way, but you have been very inclusive on this issue that is 
critical, and I just want to say I thank you for that.
    Obviously, as we look at FedRAMP and what it is and what it 
is not, it's all about providing agencies state-of-the-art 
transformative power, and yet what we've--as the chairman has 
highlighted, going back all the way to 2011 when the first 
cloud, Cloud First initiative was first introduced, and as he 
mentioned, the Cloud Smart announcement earlier this year, it 
is critical that we are all on the same sheet of music and that 
we are rowing in the right direction.
    And I think probably the frustration for me many times is 
that the Federal Government that spends over a hundred billion 
dollars a year on IT is so lagging behind the private sector. I 
can get--I can have cloud computing in a secure environment 
much quicker than it seems like some of our Federal agencies. 
And that's not to be condemning of anyone here or any of you, 
because I think from your nodding you share my concern. And yet 
what we have to do, as the chairman highlighted, is make sure 
that we take these same efficiencies that are available to both 
the private and public sector and make sure that it's not 
laborious in its implementation.
    We've had great successes with the pilots and where we are 
now, and as the chairman mentioned, we're working on 
legislation again this Congress to try to make sure that, not 
only is it codified, but that we take some of the stumbling 
blocks, as the chairman mentioned, some of the implementation, 
it just needs to go faster.
    I was at OPM the other day, and we were looking at some of 
their systems and what they had to go through to actually just 
do basic functions that I could probably do on an iPhone now, 
and yet we've got these legacy systems that--and they have to 
go in and log in and out of so many different systems to get 
something that, honestly, if it was in the clouds, we would 
have access to all of that where we would be able to ping it 
from multiple locations.
    But this is all about making sure that we have great 
cybersecurity as well. And so I don't want us to be fast and 
yet run into some of the same cybersecurity concerns that we 
have been plagued with under the legacy systems that we have 
already.
    You know, the FedRAMP has worked with over 150 agencies, 
220 cloud providers, and saved over $250 million. That's a 
great story to tell. And we've seen the growth of this growing 
at some 33 percent each year, and yet some of those benefits 
still need room for improvement. And so what we want to hear as 
a committee in a bipartisan way is how can we improve it, how 
can we codify it, and how can we make it so that agencies, when 
they make this decision, it gets done quickly. And so anything 
we can do to streamline that process is great.
    I look forward to working with all of you and the chairman 
on this topic. You know, he said he wants to, you know, reach 
for the clouds, and I think it's time we ramp it up. How about 
that? All right.
    I yield back.
    Mr. Connolly. I thank my good friend. And I want to thank 
him for being a great partner for a number of years on the 
whole information technology management challenge in the 
Federal Government. We've worked together in a bipartisan basis 
on FITARA, on MGT, on the sunset provisions of FITARA and now 
on FedRAMP, and we're going to continue that bipartisan 
tradition on this subcommittee, on this subject for sure.
    We now have a panel of four members. We have Anil Cheriyan, 
the director of Technology Information Services at GSA, the 
General Services Administration; Jack Wilmer, the deputy chief 
information officer for Cybersecurity at the Department of 
Defense; Joseph Klimavicz--is that right?
    Mr. Klimavicz. Klimavicz.
    Mr. Connolly [continuing]. Klimavicz, deputy assistant 
attorney general and chief information officer at the U.S. 
Department of Justice; and Jose Arrieta, chief information 
officer at the U.S. Department of Health and Human Services.
    If you all four would stand and raise your right hand to be 
sworn in. It is our custom to hear sworn testimony in this 
committee.
    Do you swear or affirm that the testimony you're about to 
give is the truth, the whole truth, and nothing but the truth, 
so help you God?
    Let the record show that all four witnesses answered in the 
affirmative.
    The microphones are sensitive. So if you'll speak directly 
into them like I'm doing, you can be heard.
    And we'll begin with you, Mr. Cheriyan.

STATEMENT OF ANIL CHERIYAN, DIRECTOR, TECHNOLOGY TRANSFORMATION 
           SERVICES, GENERAL SERVICES ADMINISTRATION

    Mr. Cheriyan. Thank you.
    Chairman Connolly, Ranking Member Meadows, and 
distinguished members of the subcommittee, good morning, and 
thank you for the opportunity to testify here.
    I am Anil Cheriyan, deputy commissioner of the Federal 
Acquisition Services and director of Technology and 
Transformation Services within the GSA. Prior to joining the 
GSA in January of this year, I served as a CIO at SunTrust 
Banks, where as part of the executive leadership team, I led 
digital, data, and operational transformation for various parts 
of the bank. Also in my SunTrust role, I led a sectorwide 
committee on cybersecurity standards, and so I understand the 
criticality of this program for government.
    I joined TTS because I was attracted to its mission of 
making the lives of the American public better by leveraging 
technology. FedRAMP, I believe, is an integral part of this 
mission. At its core, the value proposition of FedRAMP is 
threefold. One, it's about creating a single--leveraging a 
single consistent standard for authorizing cloud products to 
improve the security posture of Federal Government. Two, it's 
to allow cloud service providers and agencies to have an 
authorization in a streamlined, cost-effective manner. Three, 
it's to encourage the reuse of these authorizations across the 
Federal Government, thereby saving effort and cost on the part 
of agencies and the industry.
    I've been at the GSA for a little over six months now, and 
I'd like to share with you some of my initial observations and 
thoughts on the future.
    I believe FedRAMP is turning a corner and is on the path to 
success. FedRAMP provides tremendous value to both government 
and industry. While the process has evolved over time and some 
of the improvements have shown great results, there's still 
opportunities to further improve FedRAMP's performance.
    Prior to its inception in 2012, agencies issued their own 
authorizations to operate, using their own standards, and the 
FedRAMP process was established to create a common 
authorization process that can be used across Federal 
Government.
    The program has made several improvements based on industry 
feedback, frankly, with program additions such as FedRAMP 
Connect, FedRAMP Ready, FedRAMP Tailored, FedRAMP Accelerated. 
In addition, we have increased outreach to agencies and cloud 
providers. Let me highlight some of the outcomes of these 
process improvements.
    So after a relatively slow start where it took three years 
to authorize 50--40 products, we authorized 40 products in 2018 
alone. As of today, there's 143 products authorized, with 
nearly 70 in the pipeline. We've decreased timelines by almost 
50 percent, with authorizations taking, on average, 5-1/2 to 
eight months. In the last two years, the number of agencies 
have grown by roughly 40 percent to 156 agencies. And reuse has 
grown as well, with the average reuse of eight times. On some 
cases, in some instances, some products are reused over 150 
times. We believe this has saved agencies and industry over 
$285 million in cost avoidance.
    So while--as I mentioned before, while these improvements 
are great, there are still real opportunities to show 
improvements. So looking ahead, I plan to leverage my prior 
industry expertise and continue to drive improvements, working 
in close partnership with industry and agencies.
    And here are some immediate short-term improvement 
opportunities that we've already embarked on. In order to 
better channel the feedback from industry and agencies, we will 
participate in the recently established ACT-IAC FedRAMP working 
group. Second, we will further streamline processes and 
automate processes and workloads, as well as evaluate a threat-
based approach to authorization. In addition, we will expand 
our industry and agency training to further clarify any process 
concerns.
    I'm sure we'll come up with additional opportunities, but 
this is by no means the sum total of all opportunities. There's 
significant opportunities as the process improves and evolves 
further.
    So I'd like to summarize by saying I believe FedRAMP is 
turning the corner and it's on the path to success. And I'm 
committed to work in close partnership with industry and 
agencies to continue to make improvements.
    Again, thank you, and I look forward to the opportunity to 
obtain your feedback and answer any questions.
    Mr. Connolly. Thank you, Mr. Cheriyan.
    And by the way, in drafting our bill, we had very useful 
input from your colleagues at GSA and they were productive and 
helpful, and we appreciate that.
    Mr. Wilmer.

STATEMENT OF JACK WILMER, DEPUTY CHIEF INFORMATION OFFICER FOR 
           CYBERSECURITY, U.S. DEPARTMENT OF DEFENSE

    Mr. Wilmer. Good morning, Mr. Chairman, Ranking Member 
Meadows, and distinguished members of the subcommittee. Thank 
you for this opportunity to testify today on the effectiveness 
of the Federal Risk and Authorization Management Program, 
FedRAMP.
    I am Jack Wilmer, the deputy CIO for Cybersecurity and the 
chief information security officer for the Department of 
Defense. I also serve by delegation from the DOD CIO as one of 
the three chairs of the FedRAMP Joint Authorization Board.
    Today, I will provide background on DOD's participation in 
FedRAMP, the effectiveness of FedRAMP, and the synergy between 
DOD and the FedRAMP Program Management Office to provide 
authorization for cloud services for the Federal Government.
    DOD has been a partner in the FedRAMP program from its 
inception, and our involvement has been a major benefit to the 
Department. We have leveraged FedRAMP to make about 140 cloud 
service offerings available for use in DOD thus far.
    DOD supports the FedRAMP program by providing technical 
assessments and continuous monitoring support and by providing 
strategic programmatic support and oversight through the Joint 
Authorization Board.
    The FedRAMP JAB is a critical collaboration venue for 
improving cloud cybersecurity practices across the Federal 
Government, and provides efficiency through the issuance of JAB 
Provisional Authorizations to Operate, or P-ATOs, to cloud 
service providers.
    A JAB P-ATO allows the Federal Government to evaluate cloud 
service offerings once and reuse many times. Federal mission 
owners leverage the risk information enumerated by the JAB in 
the P-ATO, and as of June 1, 2019, there have been over 722 
reuses of JAB-authorized services, resulting in over $180 
million in cost avoidance.
    DOD provides full reciprocity for cloud service providers 
who have been granted a FedRAMP moderate authorization for use 
with DOD public data. However, as a result of the threats which 
routinely target DOD systems, we require cloud providers to 
meet cybersecurity requirements specified by the Committee for 
National Security Systems to be able to process any DOD-
controlled unclassified information. These additional 
requirements only add 38 controls to the 325 required for the 
FedRAMP moderate baseline.
    We issue a DOD provisional authorization to systems that 
have met our requirements, and this process adds one to six 
weeks to the FedRAMP certification process, depending on the 
sensitivity and complexity of the system. We have issued 120 
provisional authorizations through reciprocity with the 
moderate baseline and have only had to require additional DOD 
assessments for 20 cloud services.
    As the Department continues its transition to the cloud, it 
is becoming more important to increase the speed of 
authorizations for new cloud capabilities. One upcoming change 
for DOD is that we will now issue a general provisional 
authorization which will cover any cloud service offering which 
has been assessed at the FedRAMP moderate baseline. This means 
that cloud service providers will not have to wait for a 
separate DOD authorization to have their services used for DOD 
public data. This use case covers the vast majority of DOD 
provisional authorizations that have been issued to date, and 
we expect to make this change within a month.
    We continue to review opportunities to improve 
authorization timelines through communication with vendors and 
the interagency stakeholders, and we strive to achieve as much 
consistency as possible between the FedRAMP and DOD security 
control baselines.
    I would like to emphasize the importance of FedRAMP and the 
standardized approach the program provides for cloud products 
and services. This approach saves money, time, and staff 
required to conduct the Department's security assessments.
    Thank you for the opportunity to testify this morning, and 
I look forward to your questions.
    Mr. Connolly. Thank you, Mr. Wilmer.
    Mr. Klimavicz.

   STATEMENT OF JOSEPH KLIMAVICZ, DEPUTY ASSISTANT ATTORNEY 
   GENERAL AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF 
                            JUSTICE

    Mr. Klimavicz. Good morning, Chairman Connolly, Ranking 
Member Meadows, and distinguished members of the subcommittee. 
Thank you for your continued commitment to improving 
information technology across the Federal Government, and thank 
you for the opportunity to appear today before you as the chief 
information officer at the Department of Justice.
    This testimony provides an overview of the Department's use 
of FedRAMP, some possible areas of improvement, and some 
considerations for the Federal Government as we begin shaping 
the next iteration of FedRAMP.
    FedRAMP provides a standardized approach to security 
assessment, authorization, and continuous monitoring for cloud-
based products and services. The FedRAMP process allows the 
Department to efficiently implement cloud solutions in a 
secure, cost-effective manner.
    To date, the Department of Justice takes advantage of 18 
JAB-authorized Provisional-ATOs and 9 ATOs sponsored by other 
agencies. The Department has also sponsored nine ATOs which can 
be used by other agencies. Additionally, the Department 
incorporates FedRAMP requirements into our acquisition policy 
and contract language. Awarding contracts with this language 
holds vendors accountable for implementation of security 
controls.
    But like any government program, there are opportunities to 
improve. So one of the stated goals of FedRAMP is to promote 
the reuse of Provisional-ATOs and to reduce administrative and 
cost burdens for both cloud service providers and Federal 
agencies. But many cloud service providers, especially those 
unfamiliar with Federal cyber requirements, do not know which 
security controls to prioritize and implement. Also, the 
predominantly manual 3PAO assessment process results in less 
than standardized outputs and lengthened review times.
    The cloud has opened up many new methods for small 
companies to develop disruptive technologies at lower cost. 
Opportunities exist to support their understanding and 
implementation of security requirements in a more automated and 
cost-effective manner. In addition, agency-level ATOs can be 
difficult to share because of residual risks from tailored or 
risk-accepted controls that are inherently different between 
entities. Furthermore, the residual risks are not consistently 
documented.
    FedRAMP also fails to address all Federal security 
mandates.
    Finally, the Federal FedRAMP authorizations do not 
eliminate all agency assessment, authorization, and monitoring 
activities. Agencies must still assess controls not implemented 
by the cloud service provider, as well as provide for FISMA-
required continuous monitoring of those same cloud-based 
services for the entirety of their operational life cycle.
    As the Federal Government and its partners shape the next 
iteration of FedRAMP, I'm glad to offer a few observations for 
improvement. First, an automated security assessment 
methodology could be developed to allow third parties to assess 
cloud service providers in real time. This would produce a 
cyber risk--security risk score for Provisional-ATOs, reducing 
the cost and time investment of services--service providers.
    Second, replacing the manual 3PAO review with real-time 
assessment platforms based on technical measures, machine 
output only, and issuing Provisional-ATOs based upon risk 
scores will eliminate the long wait times for manual review by 
the FedRAMP PMO.
    Third, require the cloud service providers to use and 
conform to DHS' CDM standards for continuous monitoring to 
increase threat awareness, enable consistent cyber reporting.
    Fourth, require an independent Federal entity, for example, 
the Federal CIO Council, Federal Chief Information Security 
Officers Council, to review JAB Provisional-ATOs to ensure 
standards are consistent with Federal policy updates.
    Fifth, establish standardized acquisition clauses through 
the Federal Acquisition Regulatory Council to capture Federal 
Government policies and mandates.
    As you can see, FedRAMP is a critical part of implementing 
the Department's IT modernization efforts, and the Department 
looks forward to working with the subcommittee, the FedRAMP 
PMO, the Office of Management and Budget on the next iteration 
of FedRAMP.
    Thank you again for the opportunity to appear before you 
today. I welcome your questions. Thank you.
    Mr. Connolly. Thank you.
    Mr. Arrieta.

  STATEMENT OF JOSE ARRIETA, CHIEF INFORMATION OFFICER, U.S. 
            DEPARTMENT OF HEALTH AND HUMAN SERVICES

    Mr. Arrieta. Good morning, Chairman Connolly and Ranking 
Member Meadows and members of the committee. Thank you for 
providing me the opportunity to discuss the Department of 
Health and Human Services' FedRAMP program with you today. I 
appreciate the opportunity to speak with the subcommittee today 
to share our perspectives on a program that we believe is a 
strategic enabler for modernization.
    I joined HHS 18 months ago, and I was appointed as the 
permanent chief information officer about 50 days ago. And 
although I've had a brief tenure as CIO, I'm keenly aware of 
the value and importance of leveraging cloud technology to 
drive greater data sharing, greater data security, and greater 
financial savings.
    Why do we look at FedRAMP as a strategic enabler? HHS deals 
with the most critical information regarding one in three 
Americans. FedRAMP is the fulcrum for modernization efforts, 
and we've committed to it.
    In 2013, HHS was the first agency to sponsor a cloud 
service provider through the FedRAMP process. To date, HHS has 
authorized a total of 14 cloud service technologies and 
leverages over 60 FedRAMP-authorized cloud products across the 
enterprise.
    We support the standardization and reuse model. It has 
saved HHS, its customers, and industry countless hours.
    At HHS, FedRAMP's success is built on partnership between 
industry and government. At HHS, FedRAMP is more than a point 
in time authorization of a specific technology. We actually 
meet with our industry partners on a monthly basis and share 
security concerns. This allows us to have ongoing monitoring 
and maintenance of our FedRAMP-approved cloud service 
providers.
    I thought for a second I would talk to you about the legal 
framework that y'all have put in place that is actually driving 
change within Federal agencies and how it's impacting behavior 
specifically within HHS. To us, FedRAMP is a secure cloud. 
FITARA is empowering the CIO and giving him the visibility to 
actually drive change to that secure cloud environment, and the 
MGT Act is the incentives that actually drives those actions.
    An example of this behavior in HHS that we believe will be 
transformative for the acquisition function is called HHS 
Accelerate. We thought to ourselves at HHS, wouldn't it be 
amazing if we could give the cancer researcher that comes to 
HHS insight on all of the expenditures associated with cancer 
researchers that came before him so that he had the benefit of 
that information in real time available to him at his 
fingertips so that he could do a business plan or an 
acquisition plan to spend the money that he has to solve a 
large problem of cancer? We thought, wouldn't it be amazing at 
HHS if we could give contracting professionals the terms and 
conditions and prices paid associated with different products 
and services from the $24.2 billion we spend every year in the 
hundred thousand contracts?
    It's kind of like going to Target. If you walk in Target 
and you show them a price that you found on Amazon, the cashier 
will immediately give you the discount.
    Well, because of the legal framework that you've put in 
place, we've actually been able to build a program which we 
call HHS Accelerate that we think will facilitate those 
behaviors. We built that program from April 17 to December 10, 
and we're testing it now. And we would not believe--we do not 
believe it could have happened that quickly without this legal 
framework. So thank you for your visionary work.
    All of the work to actually develop HHS Accelerate was 
performed by small businesses. I've been committed to the small 
business community as an employee at the Treasury, as an 
employee at the Department of Homeland Security, and now as an 
employee at HHS. And I just got an invite to participate in the 
congressional meet and match procurement workshop conference in 
September and, if Ethics approves, I'm delighted to attend.
    As with anything, there are future opportunities, and I 
just want to highlight a couple. At HHS, our Secretary and 
Deputy Secretary have set a goal to make data available to 
private sector healthcare companies to improve health outcomes 
for the American people. We call it liberating data. FedRAMP is 
the mechanism that will ensure that we can securely share data 
with industry partners that specifically operate in the private 
sector healthcare marketplace to improve health outcomes for 
the American people.
    We have to educate those companies on what FedRAMP is. 
They've never done business with the U.S. Federal Government 
before, but in order to access our data, they need to be a 
FedRAMP-approved provider. That is extremely important to us, 
and that is an opportunity to directly impact the American 
citizens in this Nation. So we believe that education and 
engagement with the industry base is the single most important 
criteria for making FedRAMP successful.
    I'll close by saying this: At HHS, we believe technology 
modernization is iterative and evolutionary. As we build, we 
learn. As we learn, we mature. As we mature, we implement. And 
as we succeed, we scale. And we've taken that approach. As you 
guys have built the legal framework to drive change in this 
marketplace, I think you've taken the same approach, and we 
certainly appreciate that at HHS.
    Happy to answer any questions that you may have.
    Mr. Connolly. Thank you, Mr. Arrieta, for your refreshing 
testimony. And your comments about our legal framework and 
praising FITARA and our visionary leadership I think merit you 
a promotion and a big raise on a bipartisan basis. We agree.
    The chair now recognizes the distinguished Congresswoman 
from the District of Columbia, Ms. Norton.
    Ms. Norton. I thank you very much, Mr. Chairman. And could 
I congratulate you both as well. I love this spirit of self-
congratulation.
    Mr. Meadows. We're very good at it.
    Mr. Connolly. Yes, don't spoil it, Eleanor. Come on.
    Ms. Norton. I'm trying not to, but the whole point of this 
hearing is to see how we can improve FedRAMP.
    So I'm going to try to break the spirit just a little bit, 
because I am interested in the issue of reciprocity. It's a 
great big Federal Government.
    The whole point, I thought, of FedRAMP is to be able to 
deal across agency lines and that that would be a big incentive 
for agencies, and yet the reports to this committee is 
duplication of efforts continue in assessing cloud products. 
Many agencies have their unique processes and apparently are 
not lured by reciprocity.
    I've really got to--I don't know what--the chairman said 18 
percent use FedRAMP. Is that the figure, Mr. Cheriyan, 18 
percent of agencies?
    Mr. Cheriyan. Yes. We have about 156 agencies engaged in 
FedRAMP.
    Ms. Norton. So I'm trying to see what percentage of 
agencies that is now. You have any idea?
    Mr. Cheriyan. I could get you that number.
    Ms. Norton. I can't do the math because I don't know how 
many agencies there are, and that might include all kinds of 
small and large agencies.
    And I congratulate you on what you've done. And you 
listened to what needs to be done and you take action, and it 
appears to produce some response. So I'm trying to find out the 
reluctance of the chief information officers to use FedRAMP, 
even certified products, particularly granted by other 
agencies.
    I guess I should speak with you, Mr. Cheriyan, because you 
oversee the whole FedRAMP office. Is there more that could be 
done to get reciprocal trust so that you could--we could speed 
up the use of FedRAMP? And what--is it just doing things the 
way they've always done it? I'm trying to get to the root of 
the problem to find out what the solution is.
    Mr. Cheriyan.
    Mr. Cheriyan. Thank you for that question. And as you 
mentioned, reuse is very important to us. That's one of the 
core principles of FedRAMP, and that's why it was created in 
the first place. So it's a significant issue for us that we're 
working on.
    As I mentioned earlier, about 156 agencies are currently 
engaged in FedRAMP. It's close to a 40 percent increase over 
the last couple of years. And a lot of that has been due to the 
outreach efforts that have been going on by the FedRAMP teams, 
as well as the JAB teams, in terms of getting the word out, in 
terms of educating, in terms of training.
    We've held over 12--you know, we've trained over 12,500 
individuals in Federal Government, as well as industry, on the 
process. We have agency-specific training efforts that are 
underway. We have CISOs, or information security officers, also 
going through the training. So training is a big part of it in 
terms of really educating all of the agencies in terms of what 
FedRAMP is, deal with any misperceptions, et cetera.
    We're also actively participating in forums. I mentioned 
the ACT-IAC forum that is about to get started, which is the 
FedRAMP working group. That is a significant group that we 
believe we can have a lot of sharing, not only between 
agencies, but also cloud service providers. We really----
    Ms. Norton. Before my time runs out, it seems to me that 
the kind of outreach you're doing is appropriate, and that 
you're listening and responding. So here is my question. It 
seems to me with these agencies--and, again, I ask the chairman 
to find out what percentage. I don't know where I got the 18 
percent. It may have been from your opening remarks. I know the 
figure sticks in my head.
    But this is a question for everybody. It looks like there 
need to be incentives given for FedRAMP to encourage agencies 
to serve as sponsors for cloud providers, and I wish you'd 
think about that. The outreach seems to be good. The response 
seems to be good. So this is a question for the entire panel.
    If you had to say, now, what could disengage people from 
what they do already, what incentives could we offer that would 
make it so attractive that they'd want to, in fact, engage the 
FedRAMP program? What would each of you say?
    Mr. Connolly. The gentlelady's time has expired.
    But, Mr. Wilmer, you are authorized to respond.
    Mr. Wilmer. Yes, sir. Thank you.
    Ma'am, what I would offer in response to that, from a 
Department of Defense perspective, is that we are fully 
committed to reciprocity, and there's a massive incentive for 
us in having that reciprocal arrangement with FedRAMP. Going 
through those 325 controls with the moderate baseline as an 
example, which is something that the FedRAMP program takes on 
for us, is work that we no longer have to do in order to 
leverage those cloud services.
    I talked a little bit before about the increased security 
environment, increased threat environment that our DOD services 
face. And so we do require additional information, but that's 
all built on top of the good work that FedRAMP has done.
    So in terms of your specific question about incentives, I 
believe that there's already a major built-in incentive from 
the FedRAMP program in terms of doing that assessment once and 
allowing for reuse across the government.
    Mr. Connolly. I thank the gentlelady.
    Thank you, Mr. Wilmer.
    Although, just to followup, it's our information that 57 
percent of Federal agencies use FedRAMP. And if that's 
accurate, that still means 43 percent don't. So, yes, what you 
say may be true, but it hasn't seeped through to the entire 
Federal family.
    The distinguished ranking member is now recognized for his 
five minutes of questioning.
    Mr. Meadows. Mr. Chairman, in the interest of time and 
seeing that you've got a number of members on your side, here's 
what I would ask all three of--or all four of you to do.
    If you will let this committee know the three major 
obstacles for creating delays for implementation, how we can 
either help that administratively or help that legislatively. I 
think the time is critical, and if you will do that and get 
that to committee, I think that will be well-served.
    I just want to say thank you to all of you. If we can 
implement it at your levels, the rest of--all the other 
agencies. There are none that are more critical than the four 
that are represented at the table. And we'll be able to take it 
everywhere. And so, you know, they're learning by your both 
mistakes but also your frontier, pioneer kind of way of getting 
this done. So I just want to say thank you.
    And I'll yield back in the interest of time.
    Mr. Connolly. Very well said, Mr. Meadows. And would that 
all Federal agencies have the enthusiasm for change Mr. Arrieta 
expressed in his testimony. Thank you.
    The chair now recognizes the gentleman from California, Mr. 
Khanna.
    Mr. Khanna. Thank you, Mr. Chair. I will be brief as well.
    In the spirit of congratulations, I will note two unique 
parts of this hearing because of your leadership, Mr. Chairman, 
and Ranking Member Meadows.
    First, it's Congress displaying a proficiency in competency 
in technology. What a refreshing change. And, second, it is 
bipartisanship to that end. In the legislation that you and 
Representative Meadows have offered last Congress, and I expect 
that you would offer it this Congress, I think will be a 
tremendous contribution to continuing to improve FedRAMP.
    So my question--let me just ask two questions and then have 
the panel address it so we can get to the other members.
    One, what can we do to better allow small businesses access 
to participate in FedRAMP? And, two, are there areas based on--
I imagine you've read the Meadows--the Connolly Meadows, 
Meadows-Connolly bill. And are there things that you think are 
important this time to include in that bill?
    Mr. Cheriyan. So, yes, let me start. Thank you for that 
question. You know, regarding small business, just a high-level 
overview of where we are, we've got about 33 percent of the 
authorized products right now are from small businesses. And if 
you look at the pipeline, it's around 33 percent. So it's a 
growing percentage over the last couple of years. It's really 
increased.
    However, there's still more opportunity, I believe, to, 
one, educate small business. A lot of small businesses are 
unaware of the process itself, the security requirements that 
we have, and a lot of time is, frankly, wasted when the small 
business is really trying to figure that out. So, really, the 
education piece of creating that and that awareness in small 
business is something that we take very seriously.
    Mr. Connolly. Would my friend yield just for a second?
    Mr. Khanna. Sure.
    Mr. Connolly. That's true, Mr. Cheriyan, but that doesn't 
let us off the hook. No small business can afford to risk 
millions of dollars and the uncertainty of no guarantee of when 
they'll be certified.
    Mr. Cheriyan. Right.
    Mr. Connolly. And that's a huge problem for small and 
minority businesses, women, minority, veterans-owned businesses 
to enter the field. The big players can afford it. The smaller, 
medium-sized businesses, frankly, have to really look at it. 
And that's one of the things our legislation is designed to try 
to alleviate so that there's more possibility for entry.
    Without prejudice to the gentleman's time, thank you for 
yielding.
    Mr. Cheriyan. Yes. Clearly need to add that the speed at 
which we are authorizing these products for small businesses 
needs to improve. And we talked a lot about the automation 
approaches, the level of risk associated with it. And a lot of 
small businesses run on existing infrastructure that has 
already been authorized. So there's a significant amount of 
inherited risk that has been certified already. So there's lots 
of opportunities, I believe, to improve that.
    Mr. Wilmer. Sure. I would add only the--I think the most 
important thing that we can do is driving additional automation 
into the assessment process. So there's a lengthy set of 
controls that small businesses and all cloud providers have to 
be able to implement, and the more that we can enable in terms 
of automation of going through that set of controls should 
reduce the burden of actually going through the process and 
creating the artifacts that are then required for us to assess.
    Mr. Klimavicz. I would just say with respect to small 
businesses, when I've talked to small businesses, one of the 
things I hear up front is they need more information to help 
them make a better business decision, a cost benefit. Which 
controls do I implement? What's important in terms of future 
business? Do I go after low-, moderate-, or high-impact 
tradeoffs, the encryption? Everything, all those decisions, 
they've asked for more information up front so they can make an 
investment decision, and also how much is it going to cost to 
implement these controls and are they going to get that paid 
back down the road. So understanding tradeoffs, getting more 
information up front.
    And with the second part of your question, I agree with Mr. 
Wilmer here that I think the automation. As I mentioned in my 
testimony, everything needs to be real time, everything needs 
to be automated, and that will help the small businesses.
    Thank you.
    Mr. Arrieta. And I'll just say about the automation, as the 
automation is built, if it is built, there should be direct 
engagement with the small business community as to what you're 
building. That will actually help them plan to take advantage 
of the automation that you're building. That shouldn't be 
here's what we're thinking of building and then asking further 
feedback. There should be a dialog there that shapes what is 
built. And I think if you want to include the small business 
community, as a former small business executive at the 
Treasury, you have to engage them as you build the solution.
    And I agree with the other panelists' comments.
    Mr. Khanna. Thank you. Thank you, Mr. Chairman.
    Mr. Connolly. Thank you so much, Mr. Khanna.
    The chair now recognizes the very distinguished lady and 
accomplished Congresswoman from Michigan, our dear friend, Mrs. 
Lawrence.
    Mrs. Lawrence. Thank you, Chairman, for holding this, and 
to the ranking members here.
    Mr. Arrieta?
    Mr. Arrieta. Yes, ma'am.
    Mrs. Lawrence. I want you to know that, I want to be on the 
record, I agree. We in government, as we embrace technology, as 
we try to keep pace with this industry, we must sit down at the 
table and talk and work together. Because so often, our 
regulation and our pace that--for our approval lags so far 
behind innovation and advances in technology. So I really 
agree.
    I wanted to ask this question of you, sir. I would like to 
ask you how the implementation of cloud services has affected 
the Department of Health and Human Services. Specifically, how 
did the implementation enable the Department of HHS to 
accelerate its mission?
    Mr. Arrieta. Well, thank you for the question. I appreciate 
that. At HHS, we, as I said in the opening testimony, we award 
about a hundred thousand contracts $24.2 billion in spend flow 
through those contracts every year.
    What we were able to do in a very short time because we had 
FedRAMP-approved cloud service capabilities is we were actually 
able to move all of that contracting data to a commercial cloud 
environment, and then we were able to use an incremental 
approach to actually rebuilding our business process and 
partnership with small business to automate many of the 
functions of the acquisition life cycle.
    If we didn't have FedRAMP-approved products to actually 
build on, the process would have taken a lot longer. So the 
ability to actually separate data from business process 
actually gave us the flexibility to modernize our IT systems, 
while allowing our legacy IT systems to still function and 
serve the mission but also directly engaging over 3,000 members 
of the acquisition community over a nine-month period across 
HHS and allowing them to design the functionality that would 
drive the best outcome for them.
    We had a really strong and robust business plan around 
that. If you--you know, privately if you wanted to hear that, 
I'd be happy to come back and share that with you. But we had 
very specific ROI measures on the basis of process improvement, 
on the basis of savings at the point of purchase, and on the 
basis of infrastructure savings that we thought we were able to 
generate, and we were able to track those investments along the 
way because we were able to take this incremental approach, 
separate data from business process, and modernize.
    So I think FedRAMP is a key component to that. And like I 
said, the legal framework that this committee has put in place 
actually gave us the tools to make the argument that this was a 
good idea, and we thank you very much for that.
    Mrs. Lawrence. Thank you so much.
    Cybersecurity threats constantly evolve, and while the 
FedRAMP controls serve as a baseline, we must ensure that these 
assessments are flexible enough to incorporate changing 
security threats.
    So, Mr. Wilmer and Mr. Cheriyan, how does FedRAMP stand up 
to the speed with the evolving cybersecurity threats?
    Mr. Cheriyan. At the core of the FedRAMP process, we use a 
NIST standard for cybersecurity in terms of the level of risk, 
whether it's low, moderate, or high. And there's a fairly 
detailed set of controls that NIST has provided that form the 
basis of the risk assessment of FedRAMP.
    As you mentioned, cybersecurity is really fast-moving.
    Mrs. Lawrence. Yes.
    Mr. Cheriyan. It moves at a pretty fast pace, and that 
control and that standard is constantly updated. So we work 
with NIST to give them feedback, and they get the feedback from 
a lot of the different agencies, and that's how the whole 
standard has changed. And can it be done faster? Definitely we 
should be looking at that, but that's----
    Mrs. Lawrence. But does FedRAMP emphasize the most 
important security vulnerabilities that our government faces? 
Mr. Wilmer?
    Mr. Wilmer. So, ma'am, what I would offer is that a lot of 
the controls are really a framework for how you would deal with 
cybersecurity incidents. So you're exactly right, ma'am, that 
the threat evolves over time. Many of the controls that we 
require cloud service providers meet ensure that they are 
prepared to deal with the evolution of threats, as opposed to 
ensuring that they are protected against specific ones.
    And so that combination of making sure that you have basic 
security practices in place to protect yourself from the 
threats and then also ensure that you have the right processes 
and procedures in place to deal with threats or, you know, 
worst case, if they are actually negatively impacted by a cyber 
incident, is a critical piece of that.
    And then as Mr. Cheriyan mentioned, as NIST evolves the 
framework itself, the Joint Authorization Board will actually 
go through and determine if any additional controls need to be 
added or removed from the FedRAMP baseline.
    Mrs. Lawrence. Thank you.
    Just in closing, I want to be on the record that it's been 
amazing and just such an honor to share this time in history 
with an amazing leader like my colleague, Congressman Connolly.
    I yield back.
    Mr. Connolly. I wish we could give you a promotion and a 
raise. Thank you so much, Congresswoman Lawrence.
    I now recognize myself for questioning.
    Let me just say, my interest in FedRAMP was stoked by a 
friend and colleague, Steve O'Keefe, at MeriTalk. They had a 
conference up here a few years ago. And I don't know, there 
were 125, maybe 150 people in the room. And at one point--and 
there were all kinds of complaints about FedRAMP.
    And at one point, Mr. O'Keefe asked everyone to raise their 
hands on a simple question. How many of you think FedRAMP is 
working the way it was designed to work? The only hands that 
went up were Federal officials in the room, like nine of them.
    And then he said, well, how many think it's not working the 
way it was designed? And the other 120 or whatever hands wept 
up.
    I'm looking at this, thinking, are we that disconnected 
from, in a sense, our client base, right? FedRAMP has clients, 
and the Federal Government ultimately is the client, but so are 
the service providers, right, whom we certify. And it just 
etched in my mind that we've got a problem, and we were 
reluctant to address it legislatively. We were hoping it would 
be addressed administratively. And there have been 
administrative improvements. And certainly, not least under 
your leadership, Mr. Cheriyan. But problems continue. And we're 
going to hear from a second panel, and we're going to hear some 
problems from the private sector in terms of what they 
experience.
    Let me begin, Mr. Cheriyan, with the budget. My 
understanding is FedRAMP gets roughly $10 million within your 
agency from the Federal Citizen Services Fund. Is that correct?
    Mr. Cheriyan. Yes, that's correct.
    Mr. Connolly. And 25 percent goes to the JAB, and 75 
percent goes to your office at GSA.
    Mr. Cheriyan. Let me just clarify a little bit of that. The 
$10 million is the amount spent by GSA. And DOD and DHS each 
spend an additional $2.5 million.
    Mr. Connolly. Okay.
    Mr. Cheriyan. So it's roughly $2.5 million for JAB and $7.5 
million----
    Mr. Connolly. All right. And we'll be certainly talking to 
all of you about this, but Mr. Meadows and I, in the draft 
bill, are looking at do we need additional resources. A lot of 
people in the private sector say yes. We're both pecunious 
gentlemen; but on the other hand, if FedRAMP isn't working the 
way we want it to work and it needs some adjustment in resource 
availability, we're certainly willing to look at that in the 
draft legislation.
    It's my understanding, Mr. Cheriyan, that we're doing about 
12 certifications, 12 approvals a year. Is that correct?
    Mr. Cheriyan. Yes. There are 12 JAB certifications per year 
and another 38 or so agency--30-plus agency authorizations. So 
perhaps maybe two or three years ago, the majority of the 
certifications were JAB. And, frankly, the whole approach has 
pivoted a little bit as agencies have got more engaged, and 
about 75 percent of the authorizations are now agency 
authorizations, and only 25 percent are JAB authorizations.
    Mr. Connolly. But what are--going back to Ms. Norton's 
question, I mean, I think from, certainly speaking for myself, 
and most commonsense perspectives maybe, if you get certified 
at window X, certainly if you get--let's start with JAB. If I'm 
certified at JAB, I view that as the gold standard, and that 
ought to be good for me to punch my dance ticket at all the 
other windows, except for compartmentalized, highly specialized 
needs. The idea that, no, that's fascinating, that's our 
referendum but you've got to start all over again is 
unacceptable and leads to absolutely needless expense.
    And, again, going back to the small minority--small and 
medium-sized businesses, minority and otherwise, it de facto 
discriminates against them. They cannot incur that kind of 
expense. And we have many, many Federal contractors who serve 
many different Federal agencies.
    And so if we're sort of diffusing the approval process, is 
that forcing businesses to get 24 stamps or 12 stamps, or can 
they get one with the presumption that's going to be pretty 
much good, with a few exceptions, at the other windows as well?
    Mr. Cheriyan. Yes, let me take a shot at it and then have 
some of my colleagues answer.
    So just a couple of things. The JAB authorization or an 
agency authorization, for the FedRAMP PMO standpoint, we view 
it as the same. It's following the same processes, the same 
standards, et cetera. The JAB is really using the DOD, DHS, and 
GSA security leaders to do the authorization. In addition, we 
provide continuous monitoring, et cetera.
    Mr. Connolly. I want to give you a chance to be very clear. 
You're not arguing JAB is just no different than any other 
Federal agency. JAB is a different--I mean, it--we created it 
as a multiagency entity for a reason.
    Mr. Cheriyan. No. I do believe that the JAB authorization 
enables a cloud service provider to go to more agencies. So----
    Mr. Connolly. That's right. I just wanted to clarify what 
you were not saying.
    Thank you.
    Mr. Cheriyan. The second point I'd make is that when an 
agency takes a P-ATO from JAB, they don't have to start from 
scratch. What they're doing is they're looking at whatever the 
number of the controls are, whether it's low, moderate, or 
high, and it's a hundred to 300 to 400, depending on the 
severity or the risk. They will then evaluate on their own risk 
profiles as to which areas they need to spend more effort in. 
And so it's not a start from scratch. It's purely a, what has 
the JAB provided? Do we accept it or do we now need to do more? 
And that's fundamentally the reuse process that----
    Mr. Connolly. Well, let me just say, yes, that's how it 
should work. But I'm aware of, for example, right now, one 
entity, a private sector entity that is using a software 
application that's been approved, that's certified; but because 
it's for a different application, same software, they have to 
go through the process, and they have no idea when it will be 
approved.
    Mr. Cheriyan. Okay. So we should----
    Mr. Connolly. And that's millions of dollars and multiple 
years for a medium-sized, maybe small-to medium-sized business, 
and that's maddening to people. Like, well, if Mr. Wilmer 
thought it was okay to use the software, the fact that I'm 
applying it to HHS, it's the same software, shouldn't the 
presumption be that, of course, I'm certified, just a different 
application?
    Mr. Cheriyan. We believe it should.
    Mr. Connolly. Okay.
    Mr. Cheriyan. And if there's misperception and----
    Mr. Connolly. All right. Expect a phone call.
    Mr. Cheriyan. We're happy to take the phone call.
    Mr. Connolly. No, I--thank you.
    Mr. Cheriyan. Yes.
    Mr. Connolly. There are going to be hiccups, but what I'm 
trying to establish is we agree on some principles here that, 
moving forward, especially once we have a bill, will, in fact, 
streamline the process and make it more, you know, user-
friendly for people who apply.
    Now, let me just ask one more question about the 12 JAB. 
And maybe, Mr. Wilmer, you want to get in on this. Does that 
create a backlog? I mean, if we're doing 12, how many are we 
not getting to every year?
    Mr. Wilmer. Sir, as you are well aware, there are tons of 
cloud service offerings, especially when you look at the 
software as a service space. And that's where, to your point, 
there is absolutely a backlog of those that would like to go 
through the JAB process. We do have a published prioritization 
process through which we determine which order we will actually 
work through cloud service providers, but that's where I'd also 
like to give the FedRAMP PMO a lot of credit for coming up with 
the agency authorization process.
    And, really, what this particular capability does is it 
allows a cloud service provider that has a customer that wants 
to use it. So any Federal agency can go through and perform an 
assessment on that cloud service offering. They can then 
package up all of the work that they did, provide it to the 
FedRAMP PMO. The FedRAMP PMO can review it, ensure that it 
meets the standards, and then put that out on the FedRAMP 
marketplace so that they can still benefit from the same 
reciprocity that is otherwise offered.
    Mr. Connolly. One of the concerns we have is entry into the 
market. And we've heard people say, through the grapevine, that 
certain officials of the Federal Government actually want to de 
facto limit the number, because it's easier to manage how many 
people are certified and qualified to provide cloud services. 
And I understand that but, on the other hand, it's a big 
Federal market, huge.
    Mr. Arrieta just talked about how many contracts and how 
much cumulatively they add up to, and we want to give Americans 
who are entrepreneurs an opportunity to compete in that market. 
And sometimes the smaller entities are more nimble and more 
innovative, depending on the need, and we don't want to find 
that there are artificial barriers to entry by virtue of a 
fixed number in our minds or in our willingness or ability to 
approve. So that's our concern about 12. It seems like a small 
number.
    Mr. Wilmer. Yes, sir. So the number 12, part of the impact 
of going through a JAB authorization is that we are also 
responsible for the continuous monitoring of the cloud services 
that we authorize. So as we approve more services, there are 
more that we have responsibility for ensuring that they 
continue to meet the standards through which we assess them.
    I agree completely with your point in terms of reciprocity, 
and also your comment about the number of services that we are 
able to process, but that's effectively part of the limiting 
reagent that we have in terms of the bandwidth we can support.
    Mr. Connolly. Two more questions, and then I'll be 
finished, and we will thank you so much, and I know we will be 
in touch again.
    One is to you, Mr. Wilmer. You serve on the JAB, 
representing the Pentagon.
    Mr. Wilmer. Yes, sir.
    Mr. Connolly. In the past, we've had stories told about a 
private-sector entity that went to the JAB, got approved, and 
then went to one of the windows at the Pentagon, only to be 
told, ``That's fascinating; you have to apply all over again,'' 
as if the JAB thing was advisory or fascinating but irrelevant.
    Can you assure us that this no longer occurs, if it did?
    Mr. Wilmer. Frankly, yes, sir. So I can't speak to the past 
incident, but what I can tell you is that we have contracting 
clauses, as an example, that requires a DOD authorization. The 
process that we use for granting a DOD authorization builds on 
FedRAMP. So FedRAMP is core to our process for authorizing use 
of cloud services----
    Mr. Connolly. But you work at the Pentagon, and you know 
that stovepiping is built into the culture.
    Mr. Wilmer. Yes, sir.
    Mr. Connolly. So ``How fascinating that the Navy thinks 
you're certified, but here at the Army we have a very different 
point of view, and you'll start all over again and meet our 
criteria,'' that defeats the purpose of having a JAB and 
defeats the whole purpose of FedRAMP, frankly.
    Mr. Wilmer. Yes, sir. And what I will offer is, I've been 
in this job now for several months. Interestingly, most of the 
comments from the services mirror that of your constituents, of 
the companies, and the other cloud providers, in terms of 
wanting access to cloud capability faster.
    I've seen very little resistance to accepting FedRAMP or 
JAB authorizations and much more interest, in terms of the 
folks that have come to our office, in trying to figure out how 
can we get this process more streamlined, faster, so that they 
can get capable to the warfighter at greater pace.
    Mr. Connolly. Mr. Meadows.
    Mr. Meadows. Thank you, Mr. Chairman.
    Mr. Wilmer, I want to followup on this, because, obviously, 
DOD is very good at checking the boxes and dotting i's, but 
sometimes what happens is--in your answer to the chairman, you 
said it's a core component. What we need to do is make sure it 
is the component. And there's a very different answer to that.
    And I guess, if you will monitor that and make sure that 
we're not running into the future problem where they say, 
``Well, thank you, you've done everything that Mr. Wilmer 
suggests that you do, but here's this stack of other 
applications that you've got to fill out that are laborious.''
    You get our point?
    Mr. Wilmer. Yes, sir. I understand completely. And one of 
the things I'd like to emphasize in responding to that is that, 
of the 140 or so authorizations that we've provided, 120 of 
those required zero additional DOD work.
    Mr. Meadows. Very good.
    Mr. Wilmer. So there are still--for, as you mentioned, sir, 
sensitive applications, capabilities like that, we do require 
some additional work to be done to address the increased threat 
posture for those applications. But the vast majority require 
no additional work.
    Mr. Meadows. Thank you.
    Mr. Connolly. Thank you so much. Thank you, Mr. Meadows.
    A final concern I've got, and I'm just going to throw it 
out there, but one of the things we've heard in the past as an 
excuse for why we have to sort of almost reinvent the wheel in 
application--we don't admit that, but that's what we're doing--
is, well, wait a minute, I've got a separate requirement in 
terms of FISMA compliance, and I'm not going to put my agency 
at jeopardy to be FedRAMP-certified and risk FISMA compliance.
    And maybe that's a legitimate concern, but sometimes we've 
been struck with the fact that maybe that's also an excuse to 
minimize risk and slow down this process.
    And I'd just like any of you to comment on: Where are we on 
that issue, and how serious do you think it is as an impediment 
moving forward?
    Mr. Klimavicz. I'll take a shot at it.
    In my five years in this job, I've not heard that as an 
impediment or anything like that. I mean, it's consistent with 
FISMA. And certainly within Department of Justice, we use all 
JAB ATOs. It's fantastic. I mean, the benefits are tremendous, 
in terms of speed and cost savings.
    Mr. Connolly. You're going to be the poster child for our 
bill. Thank you, Mr. Klimavicz.
    Mr. Arrieta, did you want to comment?
    Mr. Arrieta. Yes. In the 50 days I've been on the job, I 
have not run into that issue.
    And the FedRAMP folks from HHS that sit behind me, who do a 
fantastic job, are 100-percent focused on the use case and the 
need at HHS, and that is the first and most important question 
that we ask. We accept the JAB's authorization, and we look at 
the use case within HHS, and if there is a use care there, we 
accept it and move forward.
    So we'll go back and talk with the cyber team and see if 
that's an issue.
    Mr. Connolly. Yes. Well, just keep us posted if you think 
it does crop up. If there's something we can do legislatively 
to provide that relief or clarify, we're happy to do it. If 
it's, in fact, no longer a problem, great. But we're going to 
count on you to give us some feedback.
    And Mr. Cheriyan and Mr. Arrieta, being relatively new to 
your positions, I think bring a certain fresh perspective that 
we can all benefit from.
    I want to thank this panel so much for your thoughtful 
legislation. I do want to say that there is going to be 
legislation in your future. We are determined to make sure that 
we address this by statute and that we codify it so it has a 
statutory anchor, which it does not have now.
    We think FedRAMP is another one of the pieces of the IT 
legislation that we've championed over the years, always on a 
bipartisan basis. And we've been working with many of your 
agencies. We'd be glad to hear any concerns you've got.
    We've be working extensively, for months, with the private 
sector as well, and we're going to hear now from four of them.
    So thank you all for your willingness to share with us 
today. There may be additional questions submitted for the 
record through the chair. We'll get them to you as 
expeditiously as possible and ask you to get back to us with 
answers as expeditiously as possible.
    I thank you all. We look forward to working with you.
    The first panel is now dismissed, and I would ask the 
second panel, as quickly as possible, to take their seats. 
We're not going to take a break.
    Joining us for the second panel--while we're getting ready, 
I'll introduce them--are: Jonathan Berroya, who is the senior 
vice president and general counsel of the Internet Association; 
Douglas Barbin, who's the principal of Schellman & Company, 
LLC; Will Ackerly, who's the chief technology officer for 
Virtru; and Lynn Martin, who's the vice president of 
government, education, and healthcare at VMWare.
    I would ask all four of you if you would be willing stand 
to be sworn in, and raise your right hand.
    Do you swear or affirm that the testimony that you're about 
to give is the truth, the whole truth, and nothing but the 
truth, so help you God?
    Thank you. You may be seated.
    Let the record show that our four witnesses answered that 
question in the affirmative.
    And, again, I'd ask you to limit your testimony to a five-
minute-or-less summation. And if you'll turn on that button 
that says ``Talk'' when you're ready and speak into the 
microphone, so we can all hear you and pick you up on the 
record.
    Mr. Barbin, why don't you go first.

 STATEMENT OF DOUGLAS BARBIN, PRINCIPAL, SCHELLMAN & COMPANY, 
                              LLC

    Mr. Barbin. Yes. Good afternoon, and thank you, Mr. 
Chairman and respective members of this subcommittee, for the 
opportunity to share my testimony today.
    My name is Doug Barbin. I'm a principal at Schellman & 
Company, where I'm responsible for leading the firm's FedRAMP 
practice, along with other cybersecurity assessment offerings.
    Schellman & Company, or Schellman, is a top 100 CPA firm in 
the United States and distinguished from other large firms as 
we are solely and exclusively focused on cybersecurity 
compliance and certification services. Our clients range from 
startup firms to many publicly traded companies.
    In 2012, Schellman became the first CPA firm to become a 
FedRAMP third-party assessment organization. Since that time, 
Schellman has grown to become the second-largest provider of 
FedRAMP assessments. And, in fact, FedRAMP has performed three 
times as many FedRAMP assessments as all other CPA firms on 
that list combined, including the Big Four.
    I offer you my insights today as someone who has conducted 
more than 4,000 security assessments spanning virtually ever 
widely accepted technology compliance framework or program in 
the United States and many of those internationally.
    The views I express in this testimony are on my own and 
should not be construed as reflecting any official position of 
Schellman.
    So as a brief few opening remarks, as you know, the FedRAMP 
program was designed with the ``audit once, leverage many'' 
principle, with the goal of reducing the redundancies of 
Federal agencies each conducting their own assessments of 
vendors. It is my belief that this program has largely achieved 
those goals.
    This leverage model is not new, and significant credit 
should be given to program leadership for their ability to 
launch and adapt the program in a timeframe that's 
significantly shorter than other similar compliance frameworks.
    To add in perspective, the credit card industry has been 
doing this formally for 15 years. With the previous five years, 
when the credit card industry or the payment card industry was 
doing this, Visa and Mastercard were doing it themselves.
    Based on my personal experience, I have just a few 
recommendations for the FedRAMP program as it moves forward.
    First and foremost, protect the role of the assessor. We 
are the independent finder of fact, and we facilitate the 
conversation between the cloud provider and the authorizing 
body.
    Some of the commercial compliance programs have blurred the 
lines between assessor, consultant, and decisionmaker. These 
roles are well-defined within the FedRAMP program and should 
continue to be strictly enforced. Independence between the 
parties should always be maintained in both fact and 
appearance.
    Second, remember that the ``R'' in ``FedRAMP'' stands for 
``Risk.'' Some commercial compliance frameworks adopt a 
checklist approach to all-or-nothing compliance. Under these 
frameworks, achieving security is often secondary to achieving 
compliance with the letter of the written standard. This 
concern is even more critical due to the rapidly changing 
nature of the cloud technologies.
    And I will say, as an aside, not in the written prepared 
testimony, I was very enthusiastic about the mention of a 
threat-based model, risk-based model for this program moving 
forward.
    And then last but not least, community engagement. New 
guidance for requirements should be put out for feedback with 
reasonable timeframes for implementation. A more streamlined 
process for cloud providers to implement new products and 
services was mentioned as well.
    And, in addition, from the last panel, I couldn't be more 
excited about the opportunity for automation. There are 300, 
400, sometimes more controls that we have to manually comb 
through. There are vulnerability scans. Lots and lots of 
technical data. And the deliverables we're required to produce 
now were in Microsoft, Word, and Excel. So the opportunity for 
automation and to comb through that data is significant.
    So I hope this feedback, along with the engaging dialog 
today, will assist the subcommittee in further moving the 
FedRAMP program forward in a positive manner. I thank you once 
again for the opportunity to share my views.
    Mr. Connolly. Thank you, Mr. Barbin.
    Mr. Berroya?

   STATEMENT OF JONATHAN BERROYA, SENIOR VICE PRESIDENT AND 
             GENERAL COUNSEL, INTERNET ASSOCIATION

    Mr. Berroya. Chairman Connolly, Ranking Member Meadows, and 
distinguished members of the committee, thank you for the 
opportunity to appear before you today to discuss the Federal 
Risk and Authorization Management Program.
    My name is Jonathan Berroya, and I am the senior vice 
president and general counsel at Internet Association. Internet 
Association, or IA, represents over 40 of the world's leading 
internet companies. Our companies are global leaders in the 
drive to offer lower-cost, more secure, scalable, and 
innovative cloud services to customers in both the private and 
public sectors.
    Cloud computing enables on-demand access to shared 
computing resources, providing critical services more quickly 
and at a lower cost than having agencies manage such services 
themselves, allowing those agencies to focus more of their 
resources on their missions and less on maintaining 
infrastructure.
    To begin with, I would like to thank Chairman Connolly, 
Ranking Member Meadows, the subcommittee leadership, and your 
staff members for your continued commitment to government IT 
modernization. Ensuring that FedRAMP continues to meet the 
needs of all entities involved in the government's procurement 
of cloud services is an important priority.
    IA cloud vendors are committed to the highest levels of 
information security and, collectively, invest hundreds of 
millions of dollars in compliance and certifications across 
both U.S.-based and international assessment frameworks.
    Furthermore, our member companies have been engaged in 
working with the public sector for much of the past decade, 
many well before the creation of the FedRAMP Program Management 
Office or even the Cloud First Policy.
    IA members support FedRAMP and efforts to facilitate the 
program's continued evolution. To that end, I would like to 
highlight four priorities that we believe will help ensure that 
FedRAMP continues to deliver value to all stakeholders, leading 
to greater adoption of commercial cloud services 
governmentwide.
    First, we would like to see more reuse of authority-to-
operate packages once a vendor has received FedRAMP Joint 
Authorization Board approval.
    A core goal of FedRAMP's authorization process is to make 
the assessment of cloud offerings more efficient for vendors 
and agencies. The slogan ``Do once, reuse many times,'' 
featured on the FedRAMP website, is a reference to the idea 
that once a service offering has been authorized for use, 
multiple agencies should be able to rely on that authorization 
to deploy that same service offering in their organizations.
    In practice, however, there is a lack of reciprocity across 
Federal agencies that is due, at least in part, to the fact 
that each agency CIO must issue individual authorizations, 
which creates inefficiencies that undermine the central goal of 
the FedRAMP program.
    Second, we'd like to ask that Congress establish the 
program in a way that will allow it to evolve over time. IA and 
its members support a FedRAMP process that is flexible and 
keeps pace with innovation without imposing unnecessary 
bureaucratic requirements.
    For example, it would be helpful to ensure that GSA and the 
FedRAMP Program Management Office have sufficient flexibility 
to fully automate the process of auditing the controls and 
missed baselines in the future, as this may result in a 
compliance workflow that requires fewer intermediaries, less 
paperwork, and faster processing.
    Third, we ask that industry have a seat at the table to 
provide feedback on regular basis regarding the FedRAMP 
program.
    IA members have noticed and appreciated GSA's demonstrated 
commitment to soliciting and acting on feedback offered thus 
far, including its creation of both the FedRAMP Ready 
designation and the low-impact SAAS baseline as a direct result 
of feedback from cloud service providers and agency cloud 
customers.
    We feel that the creation of a formal industry advisory 
board or similar body would help foster ongoing FedRAMP 
engagement with industry, ensuring that this successful public-
private partnership continues and that future policies are not 
created in a vacuum.
    Fourth, we believe that this program needs more resources 
in order to assess and accredit the coming wave of cloud 
products. According to the GAO, the Federal Government invests 
approximately $90 billion in IT each year, with about 75 
percent spent on operating and maintaining existing systems. 
Many of these systems will be modernized using cloud services, 
which means that dedicating adequate resources to fund the 
FedRAMP program will become even more essential to the cloud 
business ecosystem than ever before.
    In conclusion, I would like to reiterate Internet 
Association's gratitude for being included in any legislative 
discussions regarding FedRAMP and for the opportunity to appear 
before you today.
    We know that FedRAMP plays a critical role in the ongoing 
on adoption of innovative cloud services across the public 
sector, and Internet Association and its members stand ready to 
help the subcommittee succeed in its efforts to strengthen this 
important program.
    Thank you, and I look forward to your questions.
    Mr. Connolly. Well done. Five seconds to go.
    Mr. Ackerly?

  STATEMENT OF WILL ACKERLY, CHIEF TECHNOLOGY OFFICER, VIRTRU

    Mr. Ackerly. Thank you very much, Chairman Connolly, 
Ranking Member Meadows, and distinguished members of the 
committee. Thank you for the opportunity to speak with you 
today about FedRAMP and our experience with the program as a 
tech startup.
    My name is Will Ackerly. I'm the co-founder and CTO of 
Virtru, a small, D.C.-based software company that helps 
organizations and individuals protect their data wherever it 
travels.
    Virtru successfully completed the FedRAMP process earlier 
this year. Security is core to our mission, so achieving 
FedRAMP approval was an important milestone for us. Based on 
our experience, I believe that the FedRAMP program makes an 
important contribution not only to the security of our 
government but also benefits all other customers as well.
    While deeply valuable, the process is long, time-consuming, 
and expensive. It is a process that can and should be improved. 
For large corporations, the effort required may not be a major 
obstacle, but for startups and companies like Virtru, the 
current process is daunting. Many startups may be not able to 
afford to secure FedRAMP authorization as it exists today.
    Because the Federal Government can benefit from many of the 
innovations that young companies can provide, it is worth the 
effort to make FedRAMP authorization processes more accessible 
to smaller businesses.
    In our case, the FCC wanted to use Virtru's data 
protection, and they were willing to sponsor us through an 
agency FedRAMP authorization. We officially entered the process 
in June 2017. We did not receive our final authorization until 
this past March, 20 months later. For startups like us, this is 
a very long timeline. More importantly, perhaps, it was unclear 
to us how long this was likely to take.
    A related challenge was also the cost. Cost is a major 
consideration for startups, and at roughly $1.6 million in 
total costs, was a significant percentage of our annual revenue 
that had to be balanced against other priorities like hiring 
and further product development. As a privacy and security 
company, we were able to justify this decision, but when 
combined with unknown timelines, it can be a high-risk decision 
for most small companies.
    Our challenge did not end with the authorization. The 
FedRAMP process also requires significant resources to maintain 
the authorization. This was not well-understood by us upfront. 
Many organizations may think that FedRAMP is a one-time effort, 
but, in our experience, the continuous monitoring requirements 
do entail a significant ongoing effort and cost.
    We also found that the level of support and expertise 
available to help successfully complete the FedRAMP process 
varied significantly between different government agencies. 
This required us to adjust our engagement strategies for each 
specific agency.
    In short, there were a few instances where the difficulties 
we encountered could be addressed by changes to the FedRAMP 
process.
    Mr. Chairman, based on our recent experience with the 
FedRAMP process, I ask that the committee consider a number of 
specific recommendations, which I have described in my written 
testimony. I would like to provide you two quick examples.
    First, streamline the process and costs by further 
empowering the PMO; to assist the PMO, the formal creation of 
FedRAMP leads at each agency as a force multiplier. This could 
help educate and shepherd companies and their agencies through 
the authorization and continuous monitoring process. This could 
improve the experience and the effectiveness and the cost for 
companies and agency personnel navigating this process.
    Second, continue to empower agency sponsorship into the 
FedRAMP as an alternative to the JAB. Agencies best understand 
their own missions and are in the best position to identify and 
vet applicable solutions. While the JAB plays an important 
role, it would've been harder to justify the expense without 
interest from a sponsoring agency giving us a roadmap to 
potential return on investment.
    I appreciate the opportunity to address the committee 
today. I will gladly answer any questions you have. And I'm 
happy to make anyone at Virtru available for followup.
    Mr. Connolly. Thank you very much, Mr. Ackerly, and thank 
you for sharing your experience.
    Ms. Martin?

    STATEMENT OF LYNN MARTIN, VICE PRESIDENT OF government, 
               EDUCATION, AND HEALTHCARE, VMWARE

    Ms. Martin. Chairman Connolly, Ranking Member Meadows, and 
members of the subcommittee, thank you so much for the 
opportunity to speak to you this afternoon.
    My name is Lynn Martin, and I am the vice president of our 
government, education, and healthcare verticals in the Americas 
at VMWare. I appreciate the opportunity to share our 
perspective on this important legislation and to relate our 
experience in taking our solutions through the FedRAMP process, 
as well as discuss some recommendations.
    My experience dates back to the formation of the FedRAMP 
office back when I worked at HP. Since joining VMWare, I have 
also taken two products through the process, and I'm in the 
process of our third service through the FedRAMP. In addition, 
I'm working with our teams around other opportunities to funnel 
through there in joint partnership with both the JAB and the 
FedRAMP PMO.
    Based on my experiences, I can personally say the FedRAMP 
process has taken great strides to achieve higher capacity and 
a more streamlined process since 2011. I would like to commend 
their efforts in making improvements.
    Our collaboration and partnership with GSA has improved 
through each of the different authorizations I've been involved 
in. For example, in the last one over the past 18 months, the 
PMO has gone to great lengths to ensure that we understand and 
have more transparency than previously. There also has been 
engagement at our corporate site to ensure that we understand 
the process.
    I commend Chairman Connolly on his efforts to support GSA 
on its ongoing efforts to improve FedRAMP.
    VMWare believes that one of the most elements of the bill 
is that it formally provides a funding mechanism for the GSA 
FedRAMP Program Office. Dedicated funding will be a starting 
point to ensure that more FedRAMP authority-to-operate packages 
are completed in a faster manner.
    The bill introduces much-needed clarity around the roles 
and responsibilities for each organization that has a hand in 
executing vendors through the process. Speaking from VMWare's 
firsthand experience in our recent interactions, we had to 
determine on our own which organization had ownership of what 
and interact with the office through organic understanding.
    The clarity introduced in the bill would allow all vendors, 
not just VMWare, to build a repeatable plan, assessing our 
business case and returns, targeting the proper stakeholders on 
how best to navigate with the PMO. I believe this one step 
would cut down the time that vendors go through because of the 
learning process on our end.
    As we heard earlier, GSA has put some prioritization around 
the authorization. I think through the discussion earlier, one 
of the areas that I think there is an opportunity for 
improvement would be around looking at the agency ATOs, 
assessing the commonality of the security protocols, finding 
which ones are more commonly being used, and assessing whether 
there's a way to start with a baseline against those 
authorizations, and then resolve across the different agencies 
the percentage that maybe are outliers. So basically, if you 
look at the large number of protocols required for a JAB, 
there's a subset in the agency ATOs.
    VMWare also agrees with the adoption for consistent metrics 
surrounding cost, quality, and time. The ability to drive 
measurements of the PMO will allow for not just accountability 
through the OMB but also transparency into the capacity of the 
PMO's ability to ATO public cloud services for the government 
to embrace quicker.
    The final area that we would like to call attention to is 
the creation of Federal Secure Cloud Advisory Committee. We 
believe that the industry collaboration and coordination with 
the FedRAMP office is a key component of success. This will 
allow industry to interject best practices and allow GSA to 
stay ahead of the coming technology trends.
    FedRAMP has become synonymous with Federal cloud security. 
However, in order for supply to keep up with demand, the 
Federal PMO must be given adequate resources so that the 
government can move further and faster in its modernization 
efforts.
    VMWare is proud to partner with the government on its 
journey, and we look forward to further collaboration as the 
Federal Government refines and improves the FedRAMP process and 
we continue to bring to market innovation solutions.
    Thank you for the opportunity to testify this afternoon, 
and I'm happy to answer any questions the subcommittee may 
have.
    Mr. Connolly. Thank you so much. And your praise of our 
draft bill, you also should be promoted and given a big, fat 
raise.
    The chair recognizes the distinguished ranking member.
    Mr. Meadows. Thank you, Mr. Chairman.
    Thank all of you for your testimony. Obviously, it's a 
second panel on really establishing the foundation for 
legislation to move forward. The chairman, in his leadership, 
takes not just your testimony here but your written testimony, 
as well as some of the input, to make sure that the bill that 
we work on is perfected.
    And under new House majority rules, these hearings are a 
prerequisite for moving any legislation. So you're playing a 
valuable part of making sure that not only your expertise gets 
folded into the bill that Chairman Connolly and I are working 
on but, more importantly, that your concerns get addressed.
    You know, Ms. Martin, when you were talking about your 
testimony, the chairman is leaning over and he says, well, 
that's why we put this in and that's why we put that in. And so 
I want to let you know that you're being heard.
    Mr. Ackerly, you talked about some of the obstacles for a 
small business--the uncertain nature of getting the approval 
and how long and then how do you keep the certification up. How 
can we improve that?
    I mean, because now you've gone through it, but unless 
somebody sees this hearing and they happen to call you and say, 
``By the way, I'm a small business; how long will it take 
me?'', it's problematic. So how do we address those 
expectations and maybe draw down on how long it takes?
    Mr. Ackerly. Yes. Thank you for the question.
    One of the biggest benefits we had were a few internal 
advocates within agencies that understood the value of our 
product, who were willing to engage with us and educate us----
    Mr. Meadows. So had you not had that, you may still be 
waiting.
    Mr. Ackerly. Yes, we may not have been able to make the 
business decision to move forward.
    Mr. Meadows. So you had to find somebody within the agency 
to basically say they see the merits of your product and 
they're willing to be an advocate for you.
    Mr. Ackerly. That's right. And I think, like, Department of 
the Interior was engaging with us early on, and we were 
immature in our understanding of FedRAMP at that point. They 
had been through some sponsorships, and they were willing to 
make that investment. They saw the broader value, which was 
fantastic. And same with FCC.
    But I think, you know, being able to grow on that per-
agency representation and have those folks educated and having 
consistency across agencies I think would be really valuable.
    Mr. Meadows. So Mr. Berroya, you represent, for a large 
part, those that would dwarf the size of Mr. Ackerly's company. 
Is that correct?
    Mr. Berroya. Ranking Member, we have large and small 
members, but some would, yes.
    Mr. Meadows. And so here is the concern I have. And it's 
proper that the two of you sit next to each other, in that you 
have behemoths that are--you know, they can work through it. 
And Mr. Barbin talked about, you know, being able to process 
and look at security things for thousands of stakeholders.
    To put it in a different term, it's kind of like working 
through the FDA for a drug approval. Big Pharma, they 
understand how to do that. A small, little, startup generic 
company has a tougher spot with that. And it really is a 
chilling effect on new innovation.
    So how do we work to make sure that some of your clients 
that are big and understand the process and some of the new 
folks that may come on the front, like Mr. Ackerly--how do we 
make sure that both of them understand what is required and how 
to navigate the bureaucracy?
    Mr. Berroya. Is that a question to me?
    Mr. Meadows. Yes. It's a hard one, so I'm going to let you 
take it.
    Mr. Berroya. I appreciate that. I'll do my best to give you 
a helpful answer.
    So for our small members--and, obviously, every company is 
going to be in a different position, and their experience is 
going to be somewhat different.
    I've been advised that, for many of our small members, 
there's an argument that there's a market advantage. If you can 
make it through the process once, you're in, and you have that 
badge of having been certified, having been authorized, and 
that's something that you can use as a competitive advantage in 
other contexts when you're trying to woo additional customers.
    But to get more directly to the question that you asked, I 
think the creation of a formal industry body to provide regular 
feedback about the FedRAMP process and how things are working 
that includes a mix of different types of companies, which is 
something that was alluded to on the first panel as well, would 
be something that would go a long way to ensuring that 
throughout the process the voices of both large and small 
companies are taken into consideration.
    Mr. Meadows. All right. Well, thank you.
    And I'll close with this, with your indulgence, Mr. 
Chairman.
    Here is what I would like to see. In that body that 
actually is really the difference--one of the differences in 
the bill that we worked on last Congress is that stakeholder 
involvement and that advisory panel. Would it be helpful if--at 
the IRS, we have what we call a taxpayer advocate, or an 
advocacy. So if they run into a problem with the IRS, they have 
a group that they can go to and say, okay, here's where you go 
to, here's where you go to. Would something like that on 
FedRAMP be helpful to the process?
    Ms. Martin?
    Ms. Martin. Absolutely. I mean, like I said, even going 
through it four times, it changes. And they've made 
improvements, and we still took a long time. We started last 
July. We're not through yet.
    Mr. Meadows. Yes.
    Mr. Ackerly?
    Mr. Ackerly. Yes, I would support that. I think that would 
be fantastic.
    I think, you know, per previous mention as well, you know, 
metrics for transparency and understanding, that is valuable as 
well.
    Mr. Meadows. Mr. Berroya, does that help with some of what 
you were addressing?
    Mr. Berroya. I would have to get back to you because I 
represent a lot of members and I would want to make sure I had 
a clear feedback from all of them, but my----
    Mr. Meadows. You want to make sure we don't mess up.
    Mr. Berroya. Exactly.
    Mr. Meadows. Yes.
    Mr. Berroya [continuing]. my instinct on this one is it is 
likely helpful, yes.
    Mr. Meadows. All right. Speaking for yourself, your 
instinct is right.
    Mr. Barbin?
    Mr. Barbin. Yes. In short, yes. I mean, in many cases, 
especially some of the smaller companies that we've worked 
with, their biggest challenge has been the right person within 
an agency, what that agency needs to do to provide an 
authorization, and on an ongoing basis the continuous 
monitoring as well. So I think that advocacy group would be 
great.
    Mr. Meadows. I think the chair's indulgence.
    Mr. Connolly. Absolutely. Thank you. Very helpful 
questioning.
    So we're hearing--I mean, let us remember, FedRAMP 
originally, back in 2010, 2011, was intended to be an 
expeditious way of allowing entry into cloud services for the 
Federal Government, and it was supposed to cost maybe about a 
quarter of a million dollars and take about six months.
    Now, Mr. Ackerly, you represent a startup--you're not even 
a small or medium-size; you're a startup--with apparently some 
expertise recognized or some capability recognized that was 
desirable, and it took you 20 months. And, by the way, at the 
beginning, no one could tell you, ``Here is the timeline.''
    So you're betting that there will be light at the end of 
the day, or the tunnel, but it took 20 months and $1.6 million 
to be certified. Is that correct?
    Mr. Ackerly. Yes, that's right, sir.
    Mr. Connolly. And the other thing you did not anticipate 
was a recurring cost to maintain that certification. Is that 
correct?
    Mr. Ackerly. That's right.
    Mr. Connolly. Do you want to put a dollar figure on what 
that might cost annually in your budget?
    Mr. Ackerly. I'd have to double-check, but I think it might 
be $150,000 to $200,000 in annual costs.
    Mr. Connolly. All right.
    And let me just explore that with all of you for a minute. 
But, I mean, at one point, you can see why the government wants 
maintenance, right? Maybe you're a startup particularly, you 
know, and it goes to hell in a handbasket. Or maybe your 
startup gets purchased or acquired, or maybe you expand by 
acquiring others, and all of a sudden the company we contracted 
with is different. Maybe it has foreign ownership. I mean, 
there may be lots of concerns that lead us to want to monitor 
the vendors to the Federal Government. That's not unreasonable. 
But, on the other hand, what does it entail, from your point of 
view?
    I didn't see you, Mr. Grothman. We'll come to you right 
away.
    Mr. Ackerly. Yes, it comes from a few different sources. I 
will say that I think, as you say, there are aspects of this 
which are hugely valuable and important. I think through 
automation and also transparency--I think the metrics reporting 
and being able to track over time to understand what those are 
and what they entail will really help rationalize a business 
decision.
    Mr. Connolly. One of your recommendations to us was a power 
agency authorization instead of the JAB.
    Mr. Ackerly. Correct.
    Mr. Connolly. Let me just say, I understand why you might 
say that, but we kind of also look at it from the other point 
of view, that too many companies have been subjected to dual 
certification. So ``Yes, you're certified with JAB, but sorry, 
our window is different, and you're going to have to start the 
process all over again.'' Imagine doubling your costs.
    And remember that many companies have multiple Federal 
agencies, right? So they may move from national security to IRS 
or Social Security on the domestic side. And going to multiple 
windows to be multiply certified could be very expensive and 
time-consuming and unpredictable--everything you experienced, 
only multiplied by a dozen.
    So while we understand a power agency to do it without 
having to have JAB certification, on the other hand, we don't 
want unwittingly to create difficult circumstances for 
companies from getting certified.
    Mr. Ackerly. From my standpoint, I think some of the most 
valuable things I think worth preserving and amplifying are the 
agency advocacies, the people who are at the agencies that 
understand the value, and making sure that they're in a 
position at least to nominate or try to fast-track through some 
sort of standardized process.
    So if there's risk that there's going to be a dual track, 
you know, finding an opportunity for there to be agency 
advocacy and shepherding and common level of understanding 
across the agencies and representatives at each.
    Mr. Connolly. Just remember that what you're advocating for 
in some ways is already occurring, right?
    Mr. Ackerly. Correct. And so----
    Mr. Connolly. So if the JAB processes 12 a year, the other 
agencies are processing, I think he said 130, 80, or something 
like that, a large number.
    Mr. Ackerly. Yes. And what I'm recommending is formalizing 
that.
    Mr. Connolly. Uh-huh.
    I've got two more questions, and then I'm going to call on 
Mr. Grothman, who has joined us, from Wisconsin.
    Ms. Martin, I brought up an example in the earlier panel 
about a software approval for a same software, different 
application, but the process required a parallel or different 
or separate certification. Does that ring a bell with you at 
all?
    Ms. Martin. Yes.
    Mr. Connolly. Do you want to just expand real quickly?
    Ms. Martin. So when you take a software platform to a 
different company, like, a partnership with one company--so 
VMWare's strategy is we provide a hybrid cloud architecture, 
work with IBM, Microsoft, Amazon, more to come--that software 
layer is the same software layer with each of those different 
cloud services. Each one takes a parallel path on its own.
    So part of the FedRAMP process--and I think it gets into 
the agency and the JAB's as well--is any new services have to 
go through the process again.
    Mr. Connolly. Even though it's the same software.
    Ms. Martin. It could be the same but a little bit 
different----
    Mr. Connolly. Applied differently, yes.
    Ms. Martin [continuing]. and you start over. They don't 
take the baseline assessment and say, ``Okay, since you added 
this.'' It should, in theory, speed it up, in theory, once you 
get one.
    Mr. Connolly. But that was not your experience.
    Ms. Martin. It is not our experience.
    Mr. Connolly. Okay. And you heard that Mr. Cheriyan said he 
would be look at that----
    Ms. Martin. Right.
    Mr. Connolly [continuing]. at GSA.
    Mr. Connolly. Okay.
    Final question. Mr. Berroya, I think you've heard both Mr. 
Meadows and I assent to the wisdom of industry input in some 
fashion so that industry's voice is heard in providing guidance 
of the process. But you talked about lack of reciprocity. And 
maybe you were here when Ms. Norton actually asked about the 
problem of reciprocity.
    And I want to give you the final word and--and, Mr. Barbin, 
if you want to as well--comment on, what do you mean? What is 
the problem still, from your point of view, in terms of lack of 
reciprocity?
    Mr. Berroya. Thank you for the question, Mr. Chairman, and 
for the opportunity to be the last word. I'll try to keep it 
short, given the time.
    Essentially, the perspective of our members is that, while 
CIOs play a very important role and they need to be able to 
make the risk assessments that they need to make, the ideal 
would be for FedRAMP to establish a ceiling rather than a floor 
for authorization, such that, if an agency, for example, wanted 
to engage in a pilot program and operate in a way that goes 
below what the standard authorization would require for that 
limited period of time so they can assess a new service 
offering, that they would be able to do so. But for, perhaps, a 
fully fledged new service offering that they're going to 
implement on a longer-term basis, that if FedRAMP established a 
ceiling, that might be a helpful way to inject a little bit 
more efficiency into the process and encourage more reuse.
    Mr. Connolly. I invite you to work with our staff and take 
a look at the draft legislation to make sure that we are 
adequately addressing that issue.
    Mr. Berroya. We gratefully appreciate that. We will.
    Mr. Connolly. Thank you.
    The chair recognizes the gentleman from Wisconsin, Mr. 
Grothman.
    Mr. Grothman. Sure.
    This is for any one of the four of you.
    FedRAMP's current reporting and documentation structures 
are often redundant and excessively time-consuming. Has this 
inefficiency adversely impacted your industry's ability to work 
with the program?
    Any one of you.
    Mr. Barbin. I'll take that, sir, as the 3PAO auditor.
    I would agree. In my opening statement, I commented on 
deliverables being Excel spreadsheets and Word documents, a lot 
of manual analysis of a significant amount of data. I believe 
there's a significant opportunity there. Automation was brought 
up, you know, in the previous panel as well. So I would agree 
with you and concur that that is definitely the case.
    Mr. Grothman. Okay.
    Is there sufficient communication between the FedRAMP 
office and agencies to you regarding the authorization process?
    Mr. Barbin. There is certainly--so I'd say there's 
sufficient dialog and communication between ourselves, the 
independent assessors, and the PMO. Certainly there's open 
and--very open and ongoing dialog with respect to that manner. 
We've been, you know, privileged to provide additional guidance 
over the years and help make improvements in certain key areas.
    You know, with the agencies, that's typically been more on 
the PMO side; it's been less us, as an assessor. Our primary 
interfaces are going to be the PMO and the cloud providers that 
we perform the audits for.
    Mr. Grothman. Okay.
    Any of the others?
    Do you have a comment?
    Ms. Martin. I have one.
    So when we've been going through a recent agency 
authorization, our dialog's been more with the PMO and the 
agency directly, U.S. Marshals. But in the case of the 3PAO, 
they haven't been involved in those. But we have had better 
collaboration and communication around the process than 
previous experiences there.
    I do think the transparency and the documentation and the 
automation recommendations would improve things significantly 
as well.
    Mr. Grothman. Okay.
    Mr. Ackerly. Yes, I would say our communication with the 
3PAO and the PMO office have been fantastic, and when it comes 
to agency, it's been a little less consistent. Sometimes it's 
been great, and sometimes we've been learning together. And so 
I think there might be areas for improvement there.
    Mr. Grothman. If the FedRAMP program were codified, do you 
feel that would provide more security to you guys as investors?
    Mr. Ackerly. I think there are aspects of the bill that 
would absolutely create much more certainty and would make the 
business decision a lot easier.
    Mr. Grothman. Okay.
    I'll yield the remainder of my time.
    Mr. Connolly. I thank the gentleman.
    And I would just add a final word to his question, which 
was a good one. I happen to believe, and I think Mr. Meadows 
does as well--I don't want to speak for him, but--right now, 
the problem is FedRAMP is potentially an orphan. It was created 
administratively. It can be, you know, eviscerated tomorrow 
morning.
    And so codifying it gives you some predictability, gives 
Federal employees who work on the program, you know, an anchor 
to guide them, and allows us to have regular guidance as we do 
through FITARA.
    And so lacking a statutory framework sometimes can be a 
boon, but it sometimes also, frankly, can have unintended 
negative consequences. And I think we can restore some 
predictability and oversight just by codification. The bill, of 
course, does more than that. And so that's certainly our goal.
    I want to thank all of you for sharing your stories today. 
Very helpful. As the ranking member indicated, this is creating 
the record that will allow us to go back to our colleagues and 
talk about potential draft legislation.
    Thank you so much for sharing your story.
    All members, without objection, will have five legislative 
days to submit additional written questions, if any, for the 
witnesses, and I would ask that you would get back to us with 
your answers as quickly as you possibly can.
    Mr. Connolly. Thank you.
    The hearing is adjourned.
    [Whereupon, at 12:57 p.m., the subcommittee was adjourned.]

                                 [all]