[Congressional Record Volume 166, Number 24 (Wednesday, February 5, 2020)]
[House]
[Pages H815-H819]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM AUTHORIZATION ACT OF 
                                  2019

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I move to suspend 
the rules and pass the bill (H.R. 3941) to enhance the innovation, 
security, and availability of cloud computing services used in the 
Federal Government by establishing the Federal Risk and Authorization 
Management Program within the General Services Administration and by 
establishing a risk management, authorization, and continuous 
monitoring process to enable the Federal Government to leverage cloud 
computing services using a risk-based approach consistent with the 
Federal Information Security Modernization Act of 2014 and cloud-based 
operations, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3941

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Risk and 
     Authorization Management Program Authorization Act of 2019'' 
     or the ``FedRAMP Authorization Act''.

     SEC. 2. CODIFICATION OF THE FEDRAMP PROGRAM.

       (a) Amendment.--Chapter 36 of title 44, United States Code, 
     is amended by adding at the end the following new sections:

     ``Sec. 3607. Federal Risk and Authorization Management 
       Program

       ``(a) Establishment.--There is established within the 
     General Services Administration the Federal Risk and 
     Authorization Management Program. The Administrator of 
     General Services, in accordance with the guidelines 
     established pursuant to section 3612, shall establish a 
     governmentwide program that provides the authoritative 
     standardized approach to security assessment and 
     authorization for cloud computing products and services that 
     process unclassified information used by agencies.
       ``(b) Components of Fedramp.--The Joint Authorization Board 
     and the FedRAMP Program Management Office are established as 
     components of FedRAMP.

     ``Sec. 3608. FedRAMP Program Management Office

       ``(a) GSA Duties.--
       ``(1) Roles and responsibilities.--The Administrator of 
     General Services shall--
       ``(A) determine the categories and characteristics of cloud 
     computing information technology goods or services that are 
     within the jurisdiction of FedRAMP and that require FedRAMP 
     authorization from the Joint Authorization Board or the 
     FedRAMP Program Management Office;
       ``(B) develop, coordinate, and implement a process for the 
     FedRAMP Program Management Office, the Joint Authorization 
     Board, and agencies to review security assessments of cloud 
     computing services pursuant to subsections (b) and (c) of 
     section 3611, and appropriate oversight of continuous 
     monitoring of cloud computing services; and
       ``(C) ensure the continuous improvement of FedRAMP.
       ``(2) Implementation.--The Administrator shall oversee the 
     implementation of FedRAMP, including--
       ``(A) appointing a Program Director to oversee the FedRAMP 
     Program Management Office;
       ``(B) hiring professional staff as may be necessary for the 
     effective operation of the FedRAMP Program Management Office, 
     and such other activities as are essential to properly 
     perform critical functions;
       ``(C) entering into interagency agreements to detail 
     personnel on a reimbursable or non-reimbursable basis to 
     assist the FedRAMP Program Management Office and the Joint 
     Authorization Board in discharging the responsibilities of 
     the Office under this section; and
       ``(D) such other actions as the Administrator may determine 
     necessary to carry out this section.
       ``(b) Duties.--The FedRAMP Program Management Office shall 
     have the following duties:
       ``(1) Provide guidance to independent assessment 
     organizations, validate the independent assessments, and 
     apply the requirements and guidelines adopted in section 
     3609(c)(5).
       ``(2) Oversee and issue guidelines regarding the 
     qualifications, roles, and responsibilities of independent 
     assessment organizations.
       ``(3) Develop templates and other materials to support the 
     Joint Authorization Board and agencies in the authorization 
     of cloud computing services to increase the speed, 
     effectiveness, and transparency of the authorization process, 
     consistent with standards defined by the National Institute 
     of Standards and Technology.
       ``(4) Establish and maintain a public comment process for 
     proposed guidance before the issuance of such guidance by 
     FedRAMP.
       ``(5) Issue FedRAMP authorization for any authorizations to 
     operate issued by an agency that meets the requirements and 
     guidelines described in paragraph (1).
       ``(6) Establish frameworks for agencies to use 
     authorization packages processed by the FedRAMP Program 
     Management Office and Joint Authorization Board.
       ``(7) Coordinate with the Secretary of Defense and the 
     Secretary of Homeland Security to establish a framework for 
     continuous monitoring and reporting required of agencies 
     pursuant to section 3553.
       ``(8) Establish a centralized and secure repository to 
     collect and share necessary data, including security 
     authorization packages, from the Joint Authorization Board 
     and agencies to enable better sharing and reuse to such 
     packages across agencies.
       ``(c) Evaluation of Automation Procedures.--
       ``(1) In general.--The FedRAMP Program Management Office 
     shall assess and evaluate available automation capabilities 
     and procedures to improve the efficiency and effectiveness of 
     the issuance of provisional authorizations to operate issued 
     by the Joint Authorization Board and FedRAMP authorizations, 
     including continuous monitoring of cloud environments and 
     among cloud environments.
       ``(2) Means for automation.--Not later than 1 year after 
     the date of the enactment of this section and updated 
     annually thereafter, the FedRAMP Program Management Office 
     shall establish a means for the automation of security 
     assessments and reviews.
       ``(d) Metrics for Authorization.--The FedRAMP Program 
     Management Office shall establish annual metrics regarding 
     the time and quality of the assessments necessary for 
     completion of a FedRAMP authorization process in a manner 
     that can be consistently tracked over time in conjunction 
     with the periodic testing and evaluation process pursuant to 
     section 3554 in a manner that minimizes the agency reporting 
     burden.

     ``Sec. 3609. Joint Authorization Board

       ``(a) Establishment.--There is established the Joint 
     Authorization Board which shall consist of cloud computing 
     experts, appointed by the Director in consultation with the 
     Administrator, from each of the following:
       ``(1) The Department of Defense.
       ``(2) The Department of Homeland Security.
       ``(3) The General Services Administration.
       ``(4) Such other agencies as determined by the Director, in 
     consultation with the Administrator.
       ``(b) Issuance of Provisional Authorizations to Operate.--
     The Joint Authorization Board shall conduct security 
     assessments of cloud computing services and issue provisional 
     authorizations to operate to cloud service providers that 
     meet FedRAMP security guidelines set forth in section 
     3608(b)(1).
       ``(c) Duties.--The Joint Authorization Board shall--
       ``(1) develop and make publicly available on a website, 
     determined by the Administrator, criteria for prioritizing 
     and selecting cloud computing services to be assessed by the 
     Joint Authorization Board;
       ``(2) provide regular updates on the status of any cloud 
     computing service during the assessment and authorization 
     process of the Joint Authorization Board;
       ``(3) review and validate cloud computing services and 
     independent assessment organization security packages or any 
     documentation determined to be necessary by the Joint 
     Authorization Board to evaluate the system security of a 
     cloud computing service;
       ``(4) in consultation with the FedRAMP Program Management 
     Office, serve as a resource for best practices to accelerate 
     the FedRAMP process;

[[Page H816]]

       ``(5) establish requirements and guidelines for security 
     assessments of cloud computing services, consistent with 
     standards defined by the National Institute of Standards and 
     Technology, to be used by the Joint Authorization Board and 
     agencies;
       ``(6) perform such other roles and responsibilities as the 
     Administrator may assign, in consultation with the FedRAMP 
     Program Management Office and members of the Joint 
     Authorization Board; and
       ``(7) establish metrics and goals for reviews and 
     activities associated with issuing provisional authorizations 
     to operate and provide to the FedRAMP Program Management 
     Office.
       ``(d) Determinations of Demand for Cloud Computing 
     Services.--The Joint Authorization Board shall consult with 
     the Chief Information Officers Council established in section 
     3603 to establish a process for prioritizing and accepting 
     the cloud computing services to be granted a provisional 
     authorization to operate through the Joint Authorization 
     Board, which shall be made available on a public website.
       ``(e) Detail of Personnel.--To assist the Joint 
     Authorization Board in discharging the responsibilities under 
     this section, personnel of agencies may be detailed to the 
     Joint Authorization Board for the performance of duties 
     described under subsection (c).

     ``Sec. 3610. Independent assessment organizations

       ``(a) Requirements for Accreditation.--The Joint 
     Authorization Board shall determine the requirements for 
     certification of independent assessment organizations 
     pursuant to section 3609. Such requirements may include 
     developing or requiring certification programs for 
     individuals employed by the independent assessment 
     organizations who lead FedRAMP assessment teams.
       ``(b) Assessment.--Accredited independent assessment 
     organizations may assess, validate, and attest to the quality 
     and compliance of security assessment materials provided by 
     cloud service providers.

     ``Sec. 3611. Roles and responsibilities of agencies

       ``(a) In General.--In implementing the requirements of 
     FedRAMP, the head of each agency shall, consistent with 
     guidance issued by the Director pursuant to section 3612--
       ``(1) create policies to ensure cloud computing services 
     used by the agency meet FedRAMP security requirements and 
     other risk-based performance requirements as defined by the 
     Director;
       ``(2) issue agency-specific authorizations to operate for 
     cloud computing services in compliance with section 3554;
       ``(3) confirm whether there is a provisional authorization 
     to operate in the cloud security repository established under 
     section 3608(b)(10) issued by the Joint Authorization Board 
     or a FedRAMP authorization issued by the FedRAMP Program 
     Management Office before beginning an agency authorization 
     for a cloud computing product or service;
       ``(4) to the extent practicable, for any cloud computing 
     product or service the agency seeks to authorize that has 
     received either a provisional authorization to operate by the 
     Joint Authorization Board or a FedRAMP authorization by the 
     FedRAMP Program Management Office, use the existing 
     assessments of security controls and materials within the 
     authorization package; and
       ``(5) provide data and information required to the Director 
     pursuant to section 3612 to determine how agencies are 
     meeting metrics as defined by the FedRAMP Program Management 
     Office.
       ``(b) Submission of Policies Required.--Not later than 6 
     months after the date of the enactment of this section, the 
     head of each agency shall submit to the Director the policies 
     created pursuant to subsection (a)(1) for review and 
     approval.
       ``(c) Submission of Authorizations to Operate Required.--
     Upon issuance of an authorization to operate or a provisional 
     authorization to operate issued by an agency, the head of 
     each agency shall provide a copy of the authorization to 
     operate letter and any supplementary information required 
     pursuant to section 3608(b) to the FedRAMP Program Management 
     Office.
       ``(d) Presumption of Adequacy.--
       ``(1) In general.--The assessment of security controls and 
     materials within the authorization package for provisional 
     authorizations to operate issued by the Joint Authorization 
     Board and agency authorizations to operate that receive 
     FedRAMP authorization from the FedRAMP Program Management 
     Office shall be presumed adequate for use in agency 
     authorizations of cloud computing products and services.
       ``(2) Information security requirements.--The presumption 
     under paragraph (1) does not modify or alter the 
     responsibility of any agency to ensure compliance with 
     subchapter II of chapter 35 for any cloud computing products 
     or services used by the agency.

     ``Sec. 3612. Roles and responsibilities of the Office of 
       Management and Budget

       ``The Director shall have the following duties:
       ``(1) Issue guidance to ensure that an agency does not 
     operate a Federal Government cloud computing service using 
     Government data without an authorization to operate issued by 
     the agency that meets the requirements of subchapter II of 
     chapter 35 and FedRAMP.
       ``(2) Ensure agencies are in compliance with any guidance 
     or other requirements issued related to FedRAMP.
       ``(3) Review, analyze, and update guidance on the adoption, 
     security, and use of cloud computing services used by 
     agencies.
       ``(4) Ensure the Joint Authorization Board is in compliance 
     with section 3609(c).
       ``(5) Adjudicate disagreements between the Joint 
     Authorization Board and cloud service providers seeking a 
     provisional authorization to operate through the Joint 
     Authorization Board.
       ``(6) Promulgate regulations on the role of FedRAMP 
     authorization in agency acquisition of cloud computing 
     products and services that process unclassified information.

     ``Sec. 3613. Authorization of appropriations for FEDRAMP

       ``There is authorized to be appropriated $20,000,000 each 
     year for the FedRAMP Program Management Office and the Joint 
     Authorization Board.

     ``Sec. 3614. Reports to Congress

       ``Not later than 12 months after the date of the enactment 
     of this section, and annually thereafter, the Director shall 
     submit to the Committee on Oversight and Reform of the House 
     of Representatives and the Committee on Homeland Security and 
     Governmental Affairs of the Senate a report that includes the 
     following:
       ``(1) The status, efficiency, and effectiveness of FedRAMP 
     Program Management Office and agencies during the preceding 
     year in supporting the speed, effectiveness, sharing, reuse, 
     and security of authorizations to operate for cloud computing 
     products and services, including progress towards meeting the 
     metrics adopted by the FedRAMP Program Management Office 
     pursuant to section 3608(d) and the Joint Authorization Board 
     pursuant to section 3609(c)(5).
       ``(2) Data on agency use of provisional authorizations to 
     operate issued by the Joint Authorization Board and agency 
     sponsored authorizations that receive FedRAMP authorization 
     by the FedRAMP Program Management Office.
       ``(3) The length of time for the Joint Authorization Board 
     to review applications for and issue provisional 
     authorizations to operate.
       ``(4) The length of time for the FedRAMP Program Management 
     Office to review agency applications for and issue FedRAMP 
     authorization.
       ``(5) The number of provisional authorizations to operate 
     issued by the Joint Authorization Board and FedRAMP 
     authorizations issued by the FedRAMP Program Management 
     Office for the previous year.
       ``(6) A review of progress made during the preceding year 
     in advancing automation techniques to securely automate 
     FedRAMP processes and to accelerate reporting as described in 
     this section.
       ``(7) The number and characteristics of authorized cloud 
     computing services in use at each agency consistent with 
     guidance provided by the Director in section 3612.

     ``Sec. 3615. Federal Secure Cloud Advisory Committee

       ``(a) Establishment, Purposes, and Duties.--
       ``(1) Establishment.--There is established a Federal Secure 
     Cloud Advisory Committee (referred to in this section as the 
     `Committee') to ensure effective and ongoing coordination of 
     agency adoption, use, authorization, monitoring, acquisition, 
     and security of cloud computing products and services to 
     enable agency mission and administrative priorities.
       ``(2) Purposes.--The purposes of the Committee are the 
     following:
       ``(A) To examine the operations of FedRAMP and determine 
     ways that authorization processes can continuously be 
     improved, including the following:
       ``(i) Measures to increase agency re-use of provisional 
     authorizations to operate issued by the Joint Authorization 
     Board.
       ``(ii) Proposed actions that can be adopted to reduce the 
     cost of provisional authorizations to operate and FedRAMP 
     authorizations for cloud service providers.
       ``(iii) Measures to increase the number of provisional 
     authorizations to operate or FedRAMP authorizations for cloud 
     computing services offered by small businesses (as defined by 
     section 3(a) of the Small Business Act (15 U.S.C. 632(a)).
       ``(B) Collect information and feedback on agency compliance 
     with and implementation of FedRAMP requirements.
       ``(C) Serve as a forum that facilitates communication and 
     collaboration among the FedRAMP stakeholder community.
       ``(3) Duties.--The duties of the Committee are, at a 
     minimum, the following:
       ``(A) Provide advice and recommendations to the 
     Administrator, the Joint Authorization Board, and to agencies 
     on technical, financial, programmatic, and operational 
     matters regarding secure adoption of cloud computing 
     services.
       ``(B) Submit reports as required.
       ``(b) Members.--
       ``(1) Composition.--The Committee shall be comprised of not 
     more than 15 members who are qualified representatives from 
     the public and private sectors, appointed by the 
     Administrator, in consultation with the Administrator of the 
     Office of Electronic Government, as follows:
       ``(A) The Administrator or the Administrator's designee, 
     who shall be the Chair of the Committee.
       ``(B) At least 1 representative each from the Cybersecurity 
     and Infrastructure Security Agency and the National Institute 
     of Standards and Technology.

[[Page H817]]

       ``(C) At least 2 officials who serve as the Chief 
     Information Security Officer within an agency, who shall be 
     required to maintain such a position throughout the duration 
     of their service on the Committee.
       ``(D) At least 1 official serving as Chief Procurement 
     Officer (or equivalent) in an agency, who shall be required 
     to maintain such a position throughout the duration of their 
     service on the Committee.
       ``(E) At least 1 individual representing an independent 
     assessment organization.
       ``(F) No fewer than 5 representatives from unique 
     businesses that primarily provide cloud computing services or 
     products, including at least 2 representatives from a small 
     business (as defined by section 3(a) of the Small Business 
     Act (15 U.S.C. 632(a))).
       ``(G) At least 2 other government representatives as the 
     Administrator determines to be necessary to provide 
     sufficient balance, insights, or expertise to the Committee.
       ``(2) Deadline for appointment.--Each member of the 
     Committee shall be appointed not later than 30 days after the 
     date of the enactment of this Act.
       ``(3) Period of appointment; vacancies.--
       ``(A) In general.--Each non-Federal member of the Committee 
     shall be appointed for a term of 3 years, except that the 
     initial terms for members may be staggered 1, 2, or 3 year 
     terms to establish a rotation in which one-third of the 
     members are selected each year. Any such member may be 
     appointed for not more than 2 consecutive terms.
       ``(B) Vacancies.--Any vacancy in the Committee shall not 
     affect its powers, but shall be filled in the same manner in 
     which the original appointment was made. Any member appointed 
     to fill a vacancy occurring before the expiration of the term 
     for which the member's predecessor was appointed shall be 
     appointed only for the remainder of that term. A member may 
     serve after the expiration of that member's term until a 
     successor has taken office.
       ``(c) Meetings and Rules of Procedures.--
       ``(1) Meetings.--The Committee shall hold not fewer than 3 
     meetings in a calendar year, at such time and place as 
     determined by the Chair.
       ``(2) Initial meeting.--Not later than 120 days after the 
     date of the enactment of this section, the Committee shall 
     meet and begin the operations of the Committee.
       ``(3) Rules of procedure.--The Committee may establish 
     rules for the conduct of the business of the Committee, if 
     such rules are not inconsistent with this section or other 
     applicable law.
       ``(d) Employee Status.--
       ``(1) In general.--A member of the Committee (other than a 
     member who is appointed to the Committee in connection with 
     another Federal appointment) shall not be considered an 
     employee of the Federal Government by reason of any service 
     as such a member, except for the purposes of section 5703 of 
     title 5, relating to travel expenses.
       ``(2) Pay not permitted.--A member of the Committee covered 
     by paragraph (1) may not receive pay by reason of service on 
     the panel.
       ``(e) Applicability to the Federal Advisory Committee 
     Act.--Notwithstanding any other provision of law, the Federal 
     Advisory Committee Act (5 U.S.C. App.) shall apply to the 
     Committee, except that section 14 of such Act shall not 
     apply.
       ``(f) Hearings and Evidence.--The Committee, or on the 
     authority of the Committee, any subcommittee, may, for the 
     purposes of carrying out this section, hold hearings, sit and 
     act at such times and places, take testimony, receive 
     evidence, and administer oaths.
       ``(g) Contracting.--The Committee, may, to such extent and 
     in such amounts as are provided in appropriation Acts, enter 
     into contracts to enable the Committee to discharge its 
     duties under this section.
       ``(h) Information From Federal Agencies.--
       ``(1) In general.--The Committee is authorized to secure 
     directly from any executive department, bureau, agency, 
     board, commission, office, independent establishment, or 
     instrumentality of the Government, information, suggestions, 
     estimates, and statistics for the purposes of the Committee. 
     Each department, bureau, agency, board, commission, office, 
     independent establishment, or instrumentality shall, to the 
     extent authorized by law, furnish such information, 
     suggestions, estimates, and statistics directly to the 
     Committee, upon request made by the Chair, the Chair of any 
     subcommittee created by a majority of the Committee, or any 
     member designated by a majority of the Committee.
       ``(2) Receipt, handling, storage, and dissemination.--
     Information may only be received, handled, stored, and 
     disseminated by members of the Committee and its staff 
     consistent with all applicable statutes, regulations, and 
     Executive orders.
       ``(i) Detail of Employees.--Any Federal Government employee 
     may be detailed to the Committee without reimbursement from 
     the Committee, and such detailee shall retain the rights, 
     status, and privileges of his or her regular employment 
     without interruption.
       ``(j) Postal Services.--The Committee may use the United 
     States mails in the same manner and under the same conditions 
     as agencies.
       ``(k) Expert and Consultant Services.--The Committee is 
     authorized to procure the services of experts and consultants 
     in accordance with section 3109 of title 5, but at rates not 
     to exceed the daily rate paid a person occupying a position 
     at Level IV of the Executive Schedule under section 5315 of 
     title 5.
       ``(l) Reports.--
       ``(1) Interim reports.--The Committee may submit to the 
     Administrator and Congress interim reports containing such 
     findings, conclusions, and recommendations as have been 
     agreed to by the Committee.
       ``(2) Annual reports.--Not later than 18 months after the 
     date of the enactment of this section, and annually 
     thereafter, the Committee shall submit to the Administrator 
     and Congress a final report containing such findings, 
     conclusions, and recommendations as have been agreed to by 
     the Committee.

     ``Sec. 3616. Definitions

       ``(a) In General.--Except as provided under subsection (b), 
     the definitions under sections 3502 and 3552 apply to 
     sections 3607 through this section.
       ``(b) Additional Definitions.--In sections 3607 through 
     this section:
       ``(1) Administrator.--The term `Administrator' means the 
     Administrator of General Services.
       ``(2) Authorization package.--The term `authorization 
     package'--
       ``(A) means the essential information used to determine 
     whether to authorize the operation of an information system 
     or the use of a designated set of common controls; and
       ``(B) at a minimum, includes the information system 
     security plan, privacy plan, security control assessment, 
     privacy control assessment, and any relevant plans of action 
     and milestones.
       ``(3) Cloud computing.--The term `cloud computing' has the 
     meaning given that term by the National Institutes of 
     Standards and Technology in NIST Special Publication 800-145 
     and any amendatory or superseding document thereto.
       ``(4) Cloud service provider.--The term `cloud service 
     provider' means an entity offering cloud computing services 
     to agencies.
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget.
       ``(6) Fedramp.--The term `FedRAMP' means the Federal Risk 
     and Authorization Management Program established under 
     section 3607(a).
       ``(7) Fedramp authorization.--The term `FedRAMP 
     authorization' means a cloud computing product or service 
     that has received an agency authorization to operate and has 
     been approved by the FedRAMP Program Management Office to 
     meet requirements and guidelines established by the FedRAMP 
     Program Management Office.
       ``(8) Fedramp program management office.--The term `FedRAMP 
     Program Management Office' means the office that administers 
     FedRAMP established under section 3608.
       ``(9) Independent assessment organization.--The term 
     `independent assessment organization' means a third-party 
     organization accredited by the Program Director of the 
     FedRAMP Program Management Office to undertake conformity 
     assessments of cloud service providers.
       ``(10) Joint authorization board.--The term `Joint 
     Authorization Board' means the Joint Authorization Board 
     established under section 3609.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended by adding at the end the following new items:

``3607. Federal Risk and Authorization Management Program.
``3608. FedRAMP Program Management Office.
``3609. Joint Authorization Board.
``3610. Independent assessment organizations.
``3611. Roles and responsibilities of agencies.
``3612. Roles and responsibilities of the Office of Management and 
              Budget.
``3613. Authorization of appropriations for FEDRAMP.
``3614. Reports to Congress.
``3615. Federal Secure Cloud Advisory Committee.
``3616. Definitions.''.

       (c) Sunset.--This Act and any amendment made by this Act 
     shall be repealed on the date that is 10 years after the date 
     of the enactment of this Act.
       (d) Rule of Construction.--Nothing in this Act or any 
     amendment made by this Act shall be construed as altering or 
     impairing the authorities of the Director of the Office of 
     Management and Budget or the Secretary of Homeland Security 
     under subchapter II of chapter 35 of title 44, United States 
     Code.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Mrs. Carolyn B. Maloney) and the gentleman from North 
Carolina (Mr. Meadows) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I ask unanimous 
consent that all Members may have 5 legislative days within which to 
revise and extend their remarks and include extraneous material on the 
measure before us.

[[Page H818]]

  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself such 
time as I may consume.
  I thank my colleagues and friends, Representatives Connolly and 
Meadows, for their bipartisan work on this very important measure.
  The Federal Risk and Authorization Management Program Authorization 
Act would codify and improve the existing FedRAMP program in the 
General Services Administration.
  First established in 2011, FedRAMP is an important program that 
certifies cloud service providers that wish to offer services to the 
Federal Government. The FedRAMP certification process outlined in this 
bill is comprehensive and facilitates easier agency adoption, promotes 
agency reuse, and encourages savings.
  The FedRAMP process uses a risk-based approach to ensure the 
reliability of any cloud platform that hosts unclassified government 
data. A significant provision of this bill is the Federal Secure Cloud 
Advisory Committee. This committee would be tasked with key 
responsibilities, including providing technical expertise on cloud 
products and services and identifying ways to reduce costs associated 
with FedRAMP certification.
  The Director of the Office of Management and Budget would be required 
to issue regulations pertaining to FedRAMP and would ensure that 
agencies are not using cloud service providers without authorization.
  This bill supports a critical effort to keep our Nation's information 
secure in cloud environments.
  Mr. Speaker, I support this bill, and I reserve the balance of my 
time.
  Mr. MEADOWS. Mr. Speaker, I yield myself such time as I may consume.
  I rise in support of H.R. 3941, the FedRAMP Authorization Act.
  Cybersecurity and IT modernization are both vital issues that we need 
to make sure run properly. The gentleman from Virginia (Mr. Connolly) 
has been very proactive on this front.
  The Federal Risk and Authorization Management Program, or FedRAMP, as 
it is commonly referred to, would allow Federal programs to focus on 
cybersecurity for cloud services, and it provides a process for 
agencies to follow when procuring cloud systems to ensure that those 
systems meet strict cybersecurity controls.
  The gentlewoman, the chairman of the full committee, has certainly 
talked on a number of issues as it relates to this bill, but since 
there is no opposition that I am aware of, I will just submit my 
remarks for the Record.
  Mr. Speaker, I rise in support of H.R. 3941, the FedRAMP 
Authorization Act.
  Cyber security and IT modernization are both vital issues to ensure 
this government runs efficiently and effectively.
  The Federal Risk and Authorization Management Program, or FedRAMP, is 
the main federal program focused on cyber security for cloud services.
  It provides a process for agencies to follow when procuring cloud 
systems to ensure the systems meet strict cyber security controls.
  Recent federal policies make the focus on securing cloud services 
especially important.
  With the Cloud First initiative in 2011 and the Cloud Smart 
initiative from last year, the government has focused on implementation 
of cloud technologies.
  The federal government has been plagued by reoccurring problems in 
information technology, such as low asset utilization, duplicative 
systems, and fragmented resources.
  Shifting to the cloud provides for improved asset utilization, 
increased innovation, and a more responsive tech environment.
  These improved efficiencies lead to a significant cost savings.
  In fiscal year 2018, the government spent roughly six and a half 
billion dollars on cloud computing, with eighty four percent coming 
from FedRAMP authorized providers.
  Efficiencies from FedRAMP saved agencies over two hundred fifty 
million dollars.
  Codifying the program is an important step to encouraging agencies to 
take advantage of this program and all the benefits it offers.
  I urge my colleagues to support the bill.
  Mr. Speaker, I reserve the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield as much 
time as he may consume to the gentleman from Virginia (Mr. Connolly), 
chair of the subcommittee.
  Mr. CONNOLLY. Mr. Speaker, I thank the gentlewoman for yielding.
  I salute my partner and friend on our subcommittee, Mr. Meadows. He 
chaired the subcommittee in the previous Congress, and I was his 
ranking member. We have reversed roles, but our partnership continues, 
especially in trying to modernize the Federal Government and bringing 
it into the 21st century in terms of information technology. We know 
that when we don't make those investments, bad things can happen. We 
just saw that the other night in the Iowa caucus.
  H.R. 3941 codifies the Federal Risk and Authorization Management 
Program, known as FedRAMP, established in 2011 to provide a cost-
effective, risk-based approach for the adoption and use of cloud 
computing technologies within the Federal Government.
  FedRAMP standardizes security requirements for the authorization and 
ongoing cybersecurity assessments of cloud services for information 
systems across the Federal Government. In short, FedRAMP seeks to 
reduce the redundancies of Federal cloud migration and to help agencies 
quickly adopt cloud technologies.
  I am also happy to say that FedRAMP has the approval of this 
administration. Last June, the Trump administration issued its Federal 
cloud computing strategy called Cloud Smart, which reaffirmed its 
support for FedRAMP. The Cloud Smart strategy acknowledged the 
importance of FedRAMP in helping agencies modernize their information 
technology systems.
  Cloud Smart also highlighted improvements the program has implemented 
over the past few years that have resulted in a drastically reduced 
timeframe for providing a provisional authorization to operate a cloud 
service provider.
  However, the administration also noted that there is still lack of 
reciprocity across agencies in taking advantage of FedRAMP-authorized 
products. Without that reciprocity, agencies end up duplicating the 
assessment process of cloud service offerings, leading to time delays 
and inefficiencies for both the Federal Government and the providers.
  In July, the Subcommittee on Government Operations held a hearing to 
look at what the GSA has done right in administering the program and 
the ways in which FedRAMP can and should be improved. The message both 
from agency and industry witnesses was clear. FedRAMP is an important 
program that, if carried out effectively and efficiently, saves money 
for both agencies and businesses hoping to provide those services.
  The FedRAMP Authorization Act codifies the program and addresses many 
of the concerns raised in July by both the administration and private-
sector witnesses.
  First, the bill reduces duplication of security assessments and other 
obstacles to agency adoption of cloud products by establishing--and 
this is really important--a presumption of adequacy for cloud 
technologies that have already received FedRAMP certification. Going to 
33 different windows with 33 separate processes costs way too much 
money, takes way too much time, and, frankly, is unnecessary.
  The presumption of adequacy means that the cloud service offering has 
met baseline security standards already established by the program and 
should be considered approved for use across the Federal Government, 
except where very specialized services would be required.
  The bill also facilitates agency reuse of cloud technologies that 
have already received an authorization to operate by requiring agencies 
to check a centralized and secure repository and, to the extent 
practicable, reuse any existing security assessment before conducting 
an independent one of their own.
  The desire to automate aspects of FedRAMP assessment processes was 
another key finding of the subcommittee's hearing. This bill requires 
the GSA work toward automating their processes, which will lead to more 
standard security assessments and continuous monitoring of cloud 
offerings to increase the efficiency for both providers and agencies.
  The bill also establishes, as the distinguished chairwoman indicated, 
a Federal Secure Cloud Advisory Committee to ensure a dialogue among

[[Page H819]]

GSA, agency cybersecurity and procurement officials, and industry in 
order to have effective and ongoing coordination in acquisition and 
adoption of cloud products by the Federal Government.
  Finally, the bill authorizes the program at $20 million at an annual 
level, providing sufficient resources to increase the number of secure 
cloud technologies available for agency adoption.
  We have worked with OMB, GSA, industry stakeholders, and our minority 
counterparts to ensure that this bill makes needed improvements in the 
FedRAMP program and gives the program the flexibility to grow and adopt 
to future changes in cloud technologies. I believe it is consistent 
with the administration's goals, and I urge adoption of the bill.
  Mr. MEADOWS. Mr. Speaker, I yield myself the balance of my time.
  I thank the gentleman for his leadership on this. I will say that I 
have had a number of conversations in recent weeks with stakeholders 
who have offered some suggestions on what we could do, so I look 
forward to working with the gentleman opposite on how we can address 
this critical issue.
  Mr. Speaker, I would urge support and adoption of this measure, and I 
yield back the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself the 
balance of my time.
  I urge passage of H.R. 3941, as amended, and I yield back the balance 
of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Mrs. Carolyn B. Maloney) that the House 
suspend the rules and pass the bill, H.R. 3941, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________