[Congressional Record Volume 167, Number 3 (Tuesday, January 5, 2021)]
[House]
[Pages H58-H62]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM AUTHORIZATION ACT OF 
                                  2021

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I move to suspend 
the rules and pass the bill (H.R. 21) to enhance the innovation, 
security, and availability of cloud computing products and services 
used in the Federal Government by establishing the Federal Risk and 
Authorization Management Program within the General Services 
Administration and by establishing a risk management, authorization, 
and continuous monitoring process to enable the Federal Government to 
leverage cloud computing products and services using a risk-based 
approach consistent with the Federal Information Security Modernization 
Act of 2014 and cloud-based operations, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                                H.R. 21

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Risk and 
     Authorization Management Program Authorization Act of 2021'' 
     or the ``FedRAMP Authorization Act''.

     SEC. 2. CODIFICATION OF THE FEDRAMP PROGRAM.

       (a) Amendment.--Chapter 36 of title 44, United States Code, 
     is amended by adding at the end the following new sections:

     ``Sec. 3607. Federal Risk and Authorization Management 
       Program

       ``(a) Establishment.--There is established within the 
     General Services Administration the Federal Risk and 
     Authorization Management Program. The Administrator of 
     General Services, in accordance with section 3612, shall 
     establish a governmentwide program that provides the 
     authoritative standardized approach to security assessment 
     and authorization for cloud computing products and services 
     that process unclassified information used by agencies.
       ``(b) Components of FedRAMP.--The Joint Authorization Board 
     and the FedRAMP Program Management Office are established as 
     components of FedRAMP.

     ``Sec. 3608. FedRAMP Program Management Office

       ``(a) GSA Duties.--
       ``(1) Roles and responsibilities.--The Administrator of 
     General Services shall--
       ``(A) determine the categories and characteristics of cloud 
     computing products and services that are within the 
     jurisdiction of FedRAMP and that require a FedRAMP 
     authorization or a FedRAMP provisional authorization;
       ``(B) develop, coordinate, and implement a process for the 
     FedRAMP Program Management Office, the Joint Authorization 
     Board, and agencies to review security assessments of cloud 
     computing products and services pursuant to subsections (b) 
     and (c) of section 3611, and appropriate oversight of 
     continuous monitoring of cloud computing products and 
     services; and
       ``(C) ensure the continuous improvement of FedRAMP.
       ``(2) Implementation.--The Administrator shall oversee the 
     implementation of FedRAMP, including--
       ``(A) appointing a Program Director to oversee the FedRAMP 
     Program Management Office;
       ``(B) hiring professional staff as may be necessary for the 
     effective operation of the FedRAMP Program Management Office, 
     and such other activities as are essential to properly 
     perform critical functions;
       ``(C) entering into interagency agreements to detail 
     personnel on a reimbursable or non-reimbursable basis to 
     assist the FedRAMP Program Management Office and the Joint 
     Authorization Board in discharging the responsibilities of 
     the Office under this section; and
       ``(D) such other actions as the Administrator may determine 
     necessary to carry out this section.
       ``(b) Duties.--The FedRAMP Program Management Office shall 
     have the following duties:
       ``(1) Provide guidance to independent assessment 
     organizations, validate the independent assessments, and 
     apply the requirements and guidelines adopted in section 
     3609(c)(5).
       ``(2) Oversee and issue guidelines regarding the necessary 
     requirements for accreditation of third-party organizations 
     seeking to be awarded accreditation as independent assessment 
     organizations, including qualifications, roles, and 
     responsibilities of independent assessment organizations.
       ``(3) Develop templates and other materials to support the 
     Joint Authorization Board and agencies in the authorization 
     of cloud computing products and services to increase the 
     speed, effectiveness, and transparency of the authorization 
     process, consistent with standards defined by the National 
     Institute of Standards and Technology.
       ``(4) Establish and maintain a public comment process for 
     proposed guidance before the issuance of such guidance by 
     FedRAMP.
       ``(5) Review any authorization to operate issued by an 
     agency to determine if the authorization meets the 
     requirements and guidelines adopted in section 3609(c)(5).
       ``(6) Establish frameworks for agencies to use 
     authorization packages processed by the FedRAMP Program 
     Management Office and Joint Authorization Board.
       ``(7) Coordinate with the Secretary of Defense and the 
     Secretary of Homeland Security to establish a framework for 
     continuous monitoring under section 3553 and agency reports 
     required under section 3554.
       ``(8) Establish a centralized and secure repository to 
     collect and share necessary data, including security 
     authorization packages, from the Joint Authorization Board 
     and agencies to enable better sharing and reuse of such 
     packages across agencies.
       ``(c) Evaluation of Automation Procedures.--
       ``(1) In general.--The FedRAMP Program Management Office 
     shall assess and evaluate available automation capabilities 
     and procedures to improve the efficiency and effectiveness of 
     the issuance of FedRAMP authorizations and FedRAMP 
     provisional authorizations, including continuous monitoring 
     of cloud computing products and services.
       ``(2) Means for automation.--Not later than 1 year after 
     the date of the enactment of this section, and updated 
     annually thereafter, the FedRAMP Program Management Office 
     shall establish a means for the automation of security 
     assessments and reviews.
       ``(d) Metrics for Authorization.--The FedRAMP Program 
     Management Office shall establish annual metrics regarding 
     the time and quality of the assessments necessary for 
     completion of a FedRAMP authorization process in a manner 
     that can be consistently tracked over time in conjunction 
     with the periodic testing and evaluation process pursuant to 
     section 3554 in a manner that minimizes the agency reporting 
     burden.

     ``Sec. 3609. Joint Authorization Board

       ``(a) Establishment.--The Joint Authorization Board shall 
     consist of cloud computing experts, appointed by the Director 
     in consultation with the Administrator, from each of the 
     following:
       ``(1) The Department of Defense.
       ``(2) The Department of Homeland Security.
       ``(3) The General Services Administration.
       ``(4) Such other agencies as determined by the Director, in 
     consultation with the Administrator.
       ``(b) Issuance of FedRAMP Provisional Authorizations.--The 
     Joint Authorization Board shall conduct security assessments 
     of cloud computing products and services and issue FedRAMP 
     provisional authorizations to cloud service providers that 
     meet the requirements and guidelines established in 
     subsection (c)(5).
       ``(c) Duties.--The Joint Authorization Board shall--
       ``(1) develop and make publicly available on a website, 
     determined by the Administrator, criteria for prioritizing 
     and selecting cloud computing products and services to be 
     assessed by the Joint Authorization Board;
       ``(2) provide regular updates to applicant cloud service 
     providers on the status of any cloud computing product or 
     service during the assessment and authorization process of 
     the Joint Authorization Board;
       ``(3) review and validate cloud computing products and 
     services and materials submitted by independent assessment 
     organizations or any documentation determined to be necessary 
     by the Joint Authorization Board to evaluate the system 
     security of a cloud computing product or service;
       ``(4) in consultation with the FedRAMP Program Management 
     Office, serve as a resource for best practices to accelerate 
     the process for obtaining a FedRAMP authorization or FedRAMP 
     provisional authorization;
       ``(5) establish requirements and guidelines for security 
     assessments of cloud computing products and services, 
     consistent with standards defined by the National Institute 
     of Standards and Technology, to be used by the Joint 
     Authorization Board and agencies;
       ``(6) perform such other roles and responsibilities as the 
     Administrator may assign, in consultation with the FedRAMP 
     Program Management Office and members of the Joint 
     Authorization Board; and
       ``(7) establish metrics and goals for reviews and 
     activities associated with issuing FedRAMP provisional 
     authorizations and provide to the FedRAMP Program Management 
     Office.
       ``(d) Determinations of Demand for Cloud Computing Products 
     and Services.--The Joint Authorization Board shall consult 
     with the Chief Information Officers Council established in 
     section 3603 to establish a process, that shall be made 
     available on a public website, for prioritizing and accepting 
     the cloud computing products and services to be granted a 
     FedRAMP provisional authorization.
       ``(e) Detail of Personnel.--To assist the Joint 
     Authorization Board in discharging the responsibilities under 
     this section, personnel of agencies may be detailed to the 
     Joint Authorization Board for the performance of duties 
     described under subsection (c).

     ``Sec. 3610. Independent assessment organizations

       ``(a) Requirements for Accreditation.--The Joint 
     Authorization Board shall determine the requirements for the 
     accreditation of a third-party organization seeking to be 
     accredited as an independent assessment organization, 
     ensuring adequate implementation of section 3609. Such 
     requirements may

[[Page H59]]

     include developing or requiring certification programs for 
     individuals employed by the third-party organization seeking 
     accreditation. The Program Director of the FedRAMP Program 
     Management Office shall accredit any third-party organization 
     that meets the requirements for accreditation.
       ``(b) Assessment.--An independent assessment organization 
     may assess, validate, and attest to the quality and 
     compliance of security assessment materials provided by cloud 
     service providers as part of the FedRAMP authorization or the 
     FedRAMP provisional authorization process.

     ``Sec. 3611. Roles and responsibilities of agencies

       ``(a) In General.--In implementing the requirements of 
     FedRAMP, the head of each agency shall, consistent with 
     guidance issued by the Director pursuant to section 3612--
       ``(1) create policies to ensure cloud computing products 
     and services used by the agency meet FedRAMP security 
     requirements and other risk-based performance requirements as 
     defined by the Director;
       ``(2) issue agency-specific authorizations to operate for 
     cloud computing services in compliance with section 3554;
       ``(3) confirm whether there is a FedRAMP authorization or 
     FedRAMP provisional authorization in the cloud security 
     repository established under section 3608(b)(8) before 
     beginning the process to award a FedRAMP authorization or a 
     FedRAMP provisional authorization for a cloud computing 
     product or service;
       ``(4) to the extent practicable, for any cloud computing 
     product or service the agency seeks to authorize that has 
     received a FedRAMP authorization or FedRAMP provisional 
     authorization, use the existing assessments of security 
     controls and materials within the authorization package; and
       ``(5) provide data and information required to the Director 
     pursuant to section 3612 to determine how agencies are 
     meeting metrics as defined by the FedRAMP Program Management 
     Office.
       ``(b) Submission of Policies Required.--Not later than 6 
     months after the date of the enactment of this section, the 
     head of each agency shall submit to the Director the policies 
     created pursuant to subsection (a)(1) for review and 
     approval.
       ``(c) Submission of Authorizations To Operate Required.--
     Upon issuance of an agency authorization to operate, the head 
     of the agency shall provide a copy of the authorization to 
     operate letter and any supplementary information required 
     pursuant to section 3608(b) to the FedRAMP Program Management 
     Office.
       ``(d) Presumption of Adequacy.--
       ``(1) In general.--The assessment of security controls and 
     materials within the authorization package for a FedRAMP 
     authorization or FedRAMP provisional authorization shall be 
     presumed adequate for use in an agency authorization to 
     operate cloud computing products and services.
       ``(2) Information security requirements.--The presumption 
     under paragraph (1) does not modify or alter the 
     responsibility of any agency to ensure compliance with 
     subchapter II of chapter 35 for any cloud computing products 
     or services used by the agency.

     ``Sec. 3612. Roles and responsibilities of the Office of 
       Management and Budget

       ``The Director shall have the following duties:
       ``(1) Issue guidance to ensure that an agency does not 
     operate a Federal Government cloud computing product or 
     service using Government data without an authorization to 
     operate issued by the agency that meets the requirements of 
     subchapter II of chapter 35 and the FedRAMP authorization or 
     FedRAMP provisional authorization.
       ``(2) Ensure agencies are in compliance with any guidance 
     or other requirements issued related to FedRAMP.
       ``(3) Review, analyze, and update guidance on the adoption, 
     security, and use of cloud computing services used by 
     agencies.
       ``(4) Ensure the Joint Authorization Board is in compliance 
     with section 3609(c).
       ``(5) Adjudicate disagreements between the Joint 
     Authorization Board and cloud service providers seeking a 
     FedRAMP provisional authorization.
       ``(6) Promulgate regulations on the role of FedRAMP 
     authorizations and FedRAMP provisional authorizations in 
     agency acquisition of cloud computing products and services 
     that process unclassified information.

     ``Sec. 3613. Authorization of appropriations for FEDRAMP

       ``There is authorized to be appropriated $20,000,000 each 
     year for the FedRAMP Program Management Office and the Joint 
     Authorization Board.

     ``Sec. 3614. Reports to Congress; GAO Report

       ``(a) Reports to Congress.--Not later than 12 months after 
     the date of the enactment of this section, and annually 
     thereafter, the Director shall submit to the Committee on 
     Oversight and Reform of the House of Representatives and the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate a report that includes the following:
       ``(1) The status, efficiency, and effectiveness of FedRAMP 
     Program Management Office and agencies during the preceding 
     year in supporting the speed, effectiveness, sharing, reuse, 
     and security of authorizations to operate for cloud computing 
     products and services, including progress towards meeting the 
     metrics adopted by the FedRAMP Program Management Office 
     pursuant to section 3608(d) and the Joint Authorization Board 
     pursuant to section 3609(c)(5).
       ``(2) Data on FedRAMP authorizations and FedRAMP 
     provisional authorizations.
       ``(3) The average length of time for the Joint 
     Authorization Board to review applications for and issue 
     FedRAMP provisional authorizations.
       ``(4) The average length of time for the FedRAMP Program 
     Management Office to review authorizations to operate.
       ``(5) The number of FedRAMP authorizations and FedRAMP 
     provisional authorizations issued for the previous year.
       ``(6) A review of progress made during the preceding year 
     in advancing automation techniques to securely automate 
     FedRAMP processes and to accelerate reporting as described in 
     this section.
       ``(7) The number and characteristics of authorized cloud 
     computing products and services in use at each agency 
     consistent with guidance provided by the Director in section 
     3612.
       ``(8) The cost incurred by agencies and cloud service 
     providers related to the issuance of FedRAMP authorizations 
     and FedRAMP provisional authorizations, including information 
     responsive to the report required in subsection (b).
       ``(b) GAO Report.--Not later than 6 months after the date 
     of the enactment of this section, the Comptroller General of 
     the United States shall publish a report that includes an 
     assessment of the cost incurred by agencies and cloud service 
     providers related to the issuance of FedRAMP authorizations 
     and FedRAMP provisional authorizations.

     ``Sec. 3615. Federal Secure Cloud Advisory Committee

       ``(a) Establishment, Purposes, and Duties.--
       ``(1) Establishment.--There is established a Federal Secure 
     Cloud Advisory Committee (referred to in this section as the 
     `Committee') to ensure effective and ongoing coordination of 
     agency adoption, use, authorization, monitoring, acquisition, 
     and security of cloud computing products and services to 
     enable agency mission and administrative priorities.
       ``(2) Purposes.--The purposes of the Committee are the 
     following:
       ``(A) To examine the operations of FedRAMP and determine 
     ways that authorization processes can continuously be 
     improved, including the following:
       ``(i) Measures to increase agency re-use of FedRAMP 
     provisional authorizations.
       ``(ii) Proposed actions that can be adopted to reduce the 
     cost of FedRAMP authorizations and FedRAMP provisional 
     authorizations for cloud service providers.
       ``(iii) Measures to increase the number of FedRAMP 
     authorizations and FedRAMP provisional authorizations for 
     cloud computing services offered by small businesses (as 
     defined by section 3(a) of the Small Business Act (15 U.S.C. 
     632(a)).
       ``(B) Collect information and feedback on agency compliance 
     with and implementation of FedRAMP requirements.
       ``(C) Serve as a forum that facilitates communication and 
     collaboration among the FedRAMP stakeholder community.
       ``(3) Duties.--The duties of the Committee are, at a 
     minimum, to provide advice and recommendations to the 
     Administrator, the Joint Authorization Board, and to agencies 
     on technical, financial, programmatic, and operational 
     matters regarding secure adoption of cloud computing products 
     and services.
       ``(b) Members.--
       ``(1) Composition.--The Committee shall be comprised of not 
     more than 15 members who are qualified representatives from 
     the public and private sectors, appointed by the 
     Administrator, in consultation with the Administrator of the 
     Office of Electronic Government, as follows:
       ``(A) The Administrator or the Administrator's designee, 
     who shall be the Chair of the Committee.
       ``(B) At least one representative each from the 
     Cybersecurity and Infrastructure Security Agency and the 
     National Institute of Standards and Technology.
       ``(C) At least two officials who serve as the Chief 
     Information Security Officer within an agency, who shall be 
     required to maintain such a position throughout the duration 
     of their service on the Committee.
       ``(D) At least one official serving as Chief Procurement 
     Officer (or equivalent) in an agency, who shall be required 
     to maintain such a position throughout the duration of their 
     service on the Committee.
       ``(E) At least one individual representing an independent 
     assessment organization.
       ``(F) No fewer than five representatives from unique 
     businesses that primarily provide cloud computing services or 
     products, including at least two representatives from a small 
     business (as defined by section 3(a) of the Small Business 
     Act (15 U.S.C. 632(a))).
       ``(G) At least two other Government representatives as the 
     Administrator determines to be necessary to provide 
     sufficient balance, insights, or expertise to the Committee.
       ``(2) Deadline for appointment.--Each member of the 
     Committee shall be appointed not later than 30 days after the 
     date of the enactment of this section.
       ``(3) Period of appointment; vacancies.--
       ``(A) In general.--Each non-Federal member of the Committee 
     shall be appointed for a term of 3 years, except that the 
     initial terms for members may be staggered 1-, 2-,

[[Page H60]]

     or 3-year terms to establish a rotation in which one-third of 
     the members are selected each year. Any such member may be 
     appointed for not more than 2 consecutive terms.
       ``(B) Vacancies.--Any vacancy in the Committee shall not 
     affect its powers, but shall be filled in the same manner in 
     which the original appointment was made. Any member appointed 
     to fill a vacancy occurring before the expiration of the term 
     for which the member's predecessor was appointed shall be 
     appointed only for the remainder of that term. A member may 
     serve after the expiration of that member's term until a 
     successor has taken office.
       ``(c) Meetings and Rules of Procedures.--
       ``(1) Meetings.--The Committee shall hold not fewer than 
     three meetings in a calendar year, at such time and place as 
     determined by the Chair.
       ``(2) Initial meeting.--Not later than 120 days after the 
     date of the enactment of this section, the Committee shall 
     meet and begin the operations of the Committee.
       ``(3) Rules of procedure.--The Committee may establish 
     rules for the conduct of the business of the Committee, if 
     such rules are not inconsistent with this section or other 
     applicable law.
       ``(d) Employee Status.--
       ``(1) In general.--A member of the Committee (other than a 
     member who is appointed to the Committee in connection with 
     another Federal appointment) shall not be considered an 
     employee of the Federal Government by reason of any service 
     as such a member, except for the purposes of section 5703 of 
     title 5, relating to travel expenses.
       ``(2) Pay not permitted.--A member of the Committee covered 
     by paragraph (1) may not receive pay by reason of service on 
     the Committee.
       ``(e) Applicability to the Federal Advisory Committee 
     Act.--Section 14 of the Federal Advisory Committee Act (5 
     U.S.C. App.) shall not apply to the Committee.
       ``(f) Hearings and Evidence.--The Committee, or on the 
     authority of the Committee, any subcommittee, may, for the 
     purposes of carrying out this section, hold hearings, sit and 
     act at such times and places, take testimony, receive 
     evidence, and administer oaths.
       ``(g) Contracting.--The Committee, may, to such extent and 
     in such amounts as are provided in appropriation Acts, enter 
     into contracts to enable the Committee to discharge its 
     duties under this section.
       ``(h) Information From Federal Agencies.--
       ``(1) In general.--The Committee is authorized to secure 
     directly from any executive department, bureau, agency, 
     board, commission, office, independent establishment, or 
     instrumentality of the Government, information, suggestions, 
     estimates, and statistics for the purposes of the Committee. 
     Each department, bureau, agency, board, commission, office, 
     independent establishment, or instrumentality shall, to the 
     extent authorized by law, furnish such information, 
     suggestions, estimates, and statistics directly to the 
     Committee, upon request made by the Chair, the Chair of any 
     subcommittee created by a majority of the Committee, or any 
     member designated by a majority of the Committee.
       ``(2) Receipt, handling, storage, and dissemination.--
     Information may only be received, handled, stored, and 
     disseminated by members of the Committee and its staff 
     consistent with all applicable statutes, regulations, and 
     Executive orders.
       ``(i) Detail of Employees.--Any Federal Government employee 
     may be detailed to the Committee without reimbursement from 
     the Committee, and such detailee shall retain the rights, 
     status, and privileges of his or her regular employment 
     without interruption.
       ``(j) Postal Services.--The Committee may use the United 
     States mails in the same manner and under the same conditions 
     as agencies.
       ``(k) Expert and Consultant Services.--The Committee is 
     authorized to procure the services of experts and consultants 
     in accordance with section 3109 of title 5, but at rates not 
     to exceed the daily rate paid a person occupying a position 
     at Level IV of the Executive Schedule under section 5315 of 
     title 5.
       ``(l) Reports.--
       ``(1) Interim reports.--The Committee may submit to the 
     Administrator and Congress interim reports containing such 
     findings, conclusions, and recommendations as have been 
     agreed to by the Committee.
       ``(2) Annual reports.--Not later than 18 months after the 
     date of the enactment of this section, and annually 
     thereafter, the Committee shall submit to the Administrator 
     and Congress a final report containing such findings, 
     conclusions, and recommendations as have been agreed to by 
     the Committee.

     ``Sec. 3616. Definitions

       ``(a) In General.--Except as provided under subsection (b), 
     the definitions under sections 3502 and 3552 apply to 
     sections 3607 through this section.
       ``(b) Additional Definitions.--In sections 3607 through 
     this section:
       ``(1) Administrator.--The term `Administrator' means the 
     Administrator of General Services.
       ``(2) Authorization package.--The term `authorization 
     package'--
       ``(A) means the essential information used to determine 
     whether to authorize the operation of an information system 
     or the use of a designated set of common controls; and
       ``(B) at a minimum, includes the information system 
     security plan, privacy plan, security control assessment, 
     privacy control assessment, and any relevant plans of action 
     and milestones.
       ``(3) Cloud computing.--The term `cloud computing' has the 
     meaning given that term by the National Institutes of 
     Standards and Technology in NIST Special Publication 800-145 
     and any amendatory or superseding document thereto.
       ``(4) Cloud service provider.--The term `cloud service 
     provider' means an entity offering cloud computing products 
     or services to agencies.
       ``(5) Director.--The term `Director' means the Director of 
     the Office of Management and Budget.
       ``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk 
     and Authorization Management Program established under 
     section 3607(a).
       ``(7) FedRAMP authorization.--The term `FedRAMP 
     authorization' means a certification that a cloud computing 
     product or service received from an agency that provides an 
     authorization to operate and the FedRAMP Program Management 
     Office has determined the product or service has completed 
     the FedRAMP authorization process.
       ``(8) FedRAMP program management office.--The term `FedRAMP 
     Program Management Office' means the office that administers 
     FedRAMP established under section 3607(b).
       ``(9) FedRAMP provisional authorization.--The term `FedRAMP 
     provisional authorization' means a certification that a cloud 
     computing product or service has received from the Joint 
     Authorization Board that approves a provisional authorization 
     to operate.
       ``(10) Independent assessment organization.--The term 
     `independent assessment organization' means a third-party 
     organization accredited by the Program Director of the 
     FedRAMP Program Management Office to undertake conformity 
     assessments of cloud service providers and their products or 
     services.
       ``(11) Joint authorization board.--The term `Joint 
     Authorization Board' means the Joint Authorization Board 
     established under section 3607(b).''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended by adding at the end the following new items:

``3607. Federal Risk and Authorization Management Program.
``3608. FedRAMP Program Management Office.
``3609. Joint Authorization Board.
``3610. Independent assessment organizations.
``3611. Roles and responsibilities of agencies.
``3612. Roles and responsibilities of the Office of Management and 
              Budget.
``3613. Authorization of appropriations for FEDRAMP.
``3614. Reports to Congress.
``3615. Federal Secure Cloud Advisory Committee.
``3616. Definitions.''.

       (c) Sunset.--This Act and any amendment made by this Act 
     shall be repealed on the date that is 10 years after the date 
     of the enactment of this Act.
       (d) Rule of Construction.--Nothing in this Act or any 
     amendment made by this Act shall be construed as altering or 
     impairing the authorities of the Director of the Office of 
     Management and Budget or the Secretary of Homeland Security 
     under subchapter II of chapter 35 of title 44, United States 
     Code.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Mrs. Carolyn B. Maloney) and the gentleman from Alabama (Mr. 
Palmer) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I ask unanimous 
consent that all Members may have 5 legislative days in which to revise 
and extend their remarks and include extraneous material on the measure 
before us.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself such 
time as I may consume.
  I thank Representatives Connolly and Comer for working on this 
important bipartisan issue.
  A version of this bill passed the House in the last Congress, and it 
has been improved after receiving technical assistance from the General 
Services Administration. The Federal Risk and Authorization Management 
Program Authorization Act would codify and improve the existing FedRAMP 
in the General Services Administration.
  First established in 2011, FedRAMP is an important program that 
certifies cloud service providers who wish to offer services and 
products to the Federal Government.
  The FedRAMP certification process outlined in this bill is 
comprehensive,

[[Page H61]]

facilitates easier agency adoption, promotes agency reuse, and 
encourages savings. The FedRAMP process uses a risk-based approach to 
ensure the reliability of any cloud platform that hosts unclassified 
government data.
  A significant provision of this bill is the Federal Secure Cloud 
Advisory Committee. This committee would be tasked with key 
responsibilities, including providing technical expertise on cloud 
products and services and identifying ways to reduce costs associated 
with FedRAMP certification.
  The Director of the Office of Management and Budget would be required 
to issue regulations pertaining to FedRAMP and would ensure that 
agencies are not using cloud service providers without authorizations. 
This bill supports a critical effort to keep our Nation's information 
secure in cloud environments.
  Mr. Speaker, I urge all Members to support this bill, and I reserve 
the balance of my time.
  Mr. PALMER. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of H.R. 21, the FedRAMP Authorization 
Act, introduced by my distinguished colleague and friend, 
Representative Gerry Connolly.
  Cybersecurity and technology modernization are both vital issues to 
ensure this government runs efficiently and effectively. This is even 
clearer in light of the unprecedented recent cyberattack that 
compromised both the private and public sectors' critical information 
systems. Congress must work to further the Federal Government's 
cybersecurity while moving Federal agencies to more modern solutions, 
which will help keep our public data safe and provide improved services 
to our Nation's citizens.
  The Federal Risk and Authorization Program, or FedRAMP, is the main 
Federal program focused on helping agencies procure secure cloud 
computing services. The FedRAMP provides a consistent process for 
agencies to procure modern cloud systems in accordance with established 
Federal cybersecurity standards. Recent Federal policies make the focus 
on securing cloud services especially important.
  With both the Cloud First initiative in 2011 and the Cloud Smart 
initiative from President Trump's administration, the government 
continues to focus on adopting modern, cost-effective cloud technology 
solutions.
  The Federal Government is plagued by reoccurring problems in 
information technology, such as low asset utilization, duplicative 
systems, and fragmented resources. Shifting to the cloud provides for 
improved asset utilization, increased innovation, and more agile and 
responsive technology capabilities. These improved efficiencies have 
led to significant cost savings.
  In fiscal year 2018, the government spent roughly $6.5 billion on 
cloud computing, with 84 percent coming from FedRAMP authorized cloud 
computing providers.
  The centralized security authorization process offered by the FedRAMP 
program has saved agencies over $250 million in cost avoidance, 
according to the General Services Administration.
  Recognizing these cost benefits, this legislation aims to increase 
the Federal Government's use of the consistent, centrally managed cloud 
computing security authorizations provided by the FedRAMP program. 
Codifying this successful program into law is an important step towards 
encouraging Federal agencies to take full advantage of this program and 
all the security benefits that it offers.
  Mr. Speaker, again, I thank my colleague, Representative Connolly, 
for introducing this bill. I urge my colleagues to support the bill, 
and I reserve the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield 5 minutes 
to the gentleman from Virginia (Mr. Connolly).
  Mr. CONNOLLY. Mr. Speaker, I thank the distinguished chairwoman of 
our committee for her graciousness in not only bringing this bill back 
to the floor, but making it the first legislative bill we are going to 
consider in the new Congress. I thank my good friend from New York. I 
also thank my friend from Alabama for his gracious words and his 
partnership on so many issues on our committee on a bipartisan basis.
  I want to thank the majority leader for bringing this bill to the 
floor. I also want to thank the ranking member of the full committee, 
Mr. Comer; and the ranking member of our subcommittee, Mr. Hice, for 
cosponsoring this bill, making it as bipartisan as we get.
  H.R. 21, the FedRAMP Authorization Act, would finally provide a 
statutory framework--which we currently lack--for the Federal Risk and 
Authorization Management Program, FedRAMP.

  FedRAMP is a standardized approach to certifying and assessing in an 
ongoing manner the security of cloud computing technologies used across 
the Federal Government. FedRAMP seeks to reduce the redundancies of 
Federal cloud migration by creating a ``certify once, reuse many 
times'' model for cloud products and services that provide cost-
effective, risk-based approach to cloud adoption. Enabling the 
efficient and secure procurement of cloud computing technology is an 
important part of Federal IT modernization efforts and essential to the 
Federal Government's transition to a more virtual posture amid the 
pandemic.
  In the first 4 years of FedRAMP, the program authorized only 20 cloud 
products. Today, there are 211 FedRAMP authorized cloud products that 
Federal agencies can use and more than 240 cloud service providers 
participating in FedRAMP, 30 percent of which are small businesses--
female-owned, minority-owned, and veteran-owned businesses. In fiscal 
year 2020, FedRAMP saw a 50 percent increase in agencies reusing 
authorized cloud products.
  This bill already passed the House in the last Congress with 
bipartisan support not once, but twice; once under suspension by voice 
vote and once as an amendment to the House version of the National 
Defense Authorization Act.
  After incorporating technical assistance that the chairwoman 
mentioned from the General Services Administration and other key 
stakeholders, I rise again to offer the FedRAMP Authorization Act.
  For nearly 4 years, we have worked with the Office of Management and 
Budget, GSA, industry stakeholders, and our friends on both sides of 
the aisle to make the needed improvements so FedRAMP can be codified in 
law.
  This bill is essential, and it will demonstrate a universal 
commitment to FedRAMP and the accelerated adoption of secure cloud 
computing technologies, a vital component of the broader Federal IT 
modernization effort. And we know it is needed after the cyber hack, 
probably led by the Russians, in the last few weeks.
  The FedRAMP Authorization Act would codify the program and address 
many of the concerns raised by industry and government stakeholders.
  First, the bill reduces duplication of security assessments and other 
obstacles to agency adoption of cloud products by establishing a 
presumption of adequacy for cloud technologies that have received 
FedRAMP certification. This is important so that companies are not 
spending millions of dollars simply to get the same certification over 
and over again.

                              {time}  1215

  The bill would also facilitate agency reuse of cloud technologies 
that have already received an authorization-to-operate by requiring 
agencies to check a centralized and secure repository.
  It requires that GSA work toward automating their processes, which 
will lead to more standard security. It will establish a Federal secure 
cloud advisory committee to ensure dialogue among GSA, agency 
cybersecurity and procurement officials, and industry representatives 
for effective and ongoing coordination.
  Finally, it authorizes $20 million in annual appropriations for the 
program, providing sufficient resources to increase the number of 
secure cloud technologies available and to allow free and fair 
competition, especially for our small and minority-owned businesses.
  Mr. Speaker, I urge that the House act on this first bill on the 
first day of our legislative activity. Again, I thank our distinguished 
chairwoman for being so generous in bringing this bill up again.
  Mr. PALMER. Mr. Speaker, I have no further speakers. I am prepared to 
close, and I yield myself the balance of my time.
  Mr. Speaker, protecting our public's valuable information by 
improving the

[[Page H62]]

Federal Government's cybersecurity and adopting modern technology 
should be a top priority of Congress.
  I look forward to working together on issues like this that are in 
the best interest of the Nation. I strongly urge my colleagues to 
support this legislation, and I yield back the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I urge passage of 
H.R. 21, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Mrs. Carolyn B. Maloney) that the House 
suspend the rules and pass the bill, H.R. 21.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________