Congressional Record, Volume 168 Issue 157 (Wednesday, September 28, 2022)

[Congressional Record Volume 168, Number 157 (Wednesday, September 28, 2022)]
[House]
[Pages H8136-H8140]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

FEDRAMP AUTHORIZATION ACT

Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I move to suspend
the rules and pass the bill (H.R. 8956) to amend chapter 36 of title
44, United States Code, to improve the cybersecurity of the Federal
Government, and for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:

H.R. 8956

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``FedRAMP Authorization Act''.

SEC. 2. FINDINGS.

Congress finds the following:
(1) Ensuring that the Federal Government can securely
leverage cloud computing products and services is key to
expediting the modernization of legacy information technology
systems, increasing cybersecurity within and across
departments and agencies, and supporting the continued
leadership of the United States in technology innovation and
job creation.
(2) According to independent analysis, as of calendar year
2019, the size of the cloud computing market had tripled
since 2004, enabling more than 2,000,000 jobs and adding more
than $200,000,000,000 to the gross domestic product of the
United States.
(3) The Federal Government, across multiple presidential
administrations and Congresses, has continued to support the
ability of agencies to move to the cloud, including through--
(A) President Barack Obama's ``Cloud First Strategy'';
(B) President Donald Trump's ``Cloud Smart Strategy'';
(C) the prioritization of cloud security in Executive Order
14028 (86 Fed. Reg. 26633; relating to improving the nation's
cybersecurity), which was issued by President Joe Biden; and
(D) more than a decade of appropriations and authorization
legislation that provides agencies with relevant authorities
and appropriations to modernize on-premises information
technology systems and more readily adopt cloud computing
products and services.
(4) Since it was created in 2011, the Federal Risk and
Authorization Management Program (referred to in this section
as ``FedRAMP'') at the General Services Administration has
made steady and sustained improvements in supporting the
secure authorization and reuse of cloud computing products
and services within the Federal Government, including by
reducing the costs and burdens on both agencies and cloud
companies to quickly and securely enter the Federal market.
(5) According to data from the General Services
Administration, as of the end of fiscal year 2021, there were
239 cloud providers with FedRAMP authorizations, and those
authorizations had been reused more than 2,700 times across
various agencies.
(6) Providing a legislative framework for FedRAMP and new
authorities to the General Services Administration, the
Office of Management and Budget, and Federal agencies will--
(A) improve the speed at which new cloud computing products
and services can be securely authorized;
(B) enhance the ability of agencies to effectively evaluate
FedRAMP authorized providers for reuse;
(C) reduce the costs and burdens to cloud providers seeking
a FedRAMP authorization; and
(D) provide for more robust transparency and dialogue
between industry and the Federal Government to drive stronger
adoption of secure cloud capabilities, create jobs, and
reduce wasteful legacy information technology.

SEC. 3. TITLE 44 AMENDMENTS.

(a) Amendment.--Chapter 36 of title 44, United States Code,
is amended by adding at the end the following:

``Sec. 3607. Definitions

``(a) In General.--Except as provided under subsection (b),
the definitions under sections 3502 and 3552 apply to this
section through section 3616.
``(b) Additional Definitions.--In this section through
section 3616:
``(1) Administrator.--The term `Administrator' means the
Administrator of General Services.
``(2) Appropriate congressional committees.--The term
`appropriate congressional committees' means the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Reform of the House of
Representatives.
``(3) Authorization to operate; federal information.--The
terms `authorization to operate' and `Federal information'
have the meaning given those term in Circular A-130 of the
Office of Management and Budget entitled `Managing
Information as a Strategic Resource', or any successor
document.
``(4) Cloud computing.--The term `cloud computing' has the
meaning given the term in Special Publication 800-145 of the
National Institute of Standards and Technology, or any
successor document.
``(5) Cloud service provider.--The term `cloud service
provider' means an entity offering cloud computing products
or services to agencies.
``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk
and Authorization Management Program established under
section 3608.
``(7) FedRAMP authorization.--The term `FedRAMP
authorization' means a certification that a cloud computing
product or service has--
``(A) completed a FedRAMP authorization process, as
determined by the Administrator; or
``(B) received a FedRAMP provisional authorization to
operate, as determined by the FedRAMP Board.
``(8) Fedramp authorization package.--The term `FedRAMP
authorization package' means the essential information that
can be used by an agency to determine whether to authorize
the operation of an information system or the use of a
designated set of common controls for all cloud computing
products and services authorized by FedRAMP.
``(9) FedRAMP board.--The term `FedRAMP Board' means the
board established under section 3610.
``(10) Independent assessment service.--The term
`independent assessment service' means a third-party
organization accredited by the Administrator to undertake
conformity assessments of cloud service providers and the
products or services of cloud service providers.
``(11) Secretary.--The term `Secretary' means the Secretary
of Homeland Security.

``Sec. 3608. Federal Risk and Authorization Management
Program

``There is established within the General Services
Administration the Federal Risk and Authorization Management
Program. The Administrator, subject to section 3614, shall
establish a Government-wide program that provides a
standardized, reusable approach to security assessment and
authorization for cloud computing products and services that
process unclassified information used by agencies.

``Sec. 3609. Roles and responsibilities of the General
Services Administration

``(a) Roles and Responsibilities.--The Administrator
shall--

[[Page H8137]]

``(1) in consultation with the Secretary, develop,
coordinate, and implement a process to support agency review,
reuse, and standardization, where appropriate, of security
assessments of cloud computing products and services,
including, as appropriate, oversight of continuous monitoring
of cloud computing products and services, pursuant to
guidance issued by the Director pursuant to section 3614;
``(2) establish processes and identify criteria consistent
with guidance issued by the Director under section 3614 to
make a cloud computing product or service eligible for a
FedRAMP authorization and validate whether a cloud computing
product or service has a FedRAMP authorization;
``(3) develop and publish templates, best practices,
technical assistance, and other materials to support the
authorization of cloud computing products and services and
increase the speed, effectiveness, and transparency of the
authorization process, consistent with standards and
guidelines established by the Director of the National
Institute of Standards and Technology and relevant statutes;
``(4) establish and update guidance on the boundaries of
FedRAMP authorization packages to enhance the security and
protection of Federal information and promote transparency
for agencies and users as to which services are included in
the scope of a FedRAMP authorization;
``(5) grant FedRAMP authorizations to cloud computing
products and services consistent with the guidance and
direction of the FedRAMP Board;
``(6) establish and maintain a public comment process for
proposed guidance and other FedRAMP directives that may have
a direct impact on cloud service providers and agencies
before the issuance of such guidance or other FedRAMP
directives;
``(7) coordinate with the FedRAMP Board, the Director of
the Cybersecurity and Infrastructure Security Agency, and
other entities identified by the Administrator, with the
concurrence of the Director and the Secretary, to establish
and regularly update a framework for continuous monitoring
under section 3553;
``(8) provide a secure mechanism for storing and sharing
necessary data, including FedRAMP authorization packages, to
enable better reuse of such packages across agencies,
including making available any information and data necessary
for agencies to fulfill the requirements of section 3613;
``(9) provide regular updates to applicant cloud service
providers on the status of any cloud computing product or
service during an assessment process;
``(10) regularly review, in consultation with the FedRAMP
Board--
``(A) the costs associated with the independent assessment
services described in section 3611; and
``(B) the information relating to foreign interests
submitted pursuant to section 3612;
``(11) in coordination with the Director of the National
Institute of Standards and Technology, the Director, the
Secretary, and other stakeholders, as appropriate, determine
the sufficiency of underlying standards and requirements to
identify and assess the provenance of the software in cloud
services and products;
``(12) support the Federal Secure Cloud Advisory Committee
established pursuant to section 3616; and
``(13) take such other actions as the Administrator may
determine necessary to carry out FedRAMP.
``(b) Website.--
``(1) In general.--The Administrator shall maintain a
public website to serve as the authoritative repository for
FedRAMP, including the timely publication and updates for all
relevant information, guidance, determinations, and other
materials required under subsection (a).
``(2) Criteria and process for fedramp authorization
priorities.--The Administrator shall develop and make
publicly available on the website described in paragraph (1)
the criteria and process for prioritizing and selecting cloud
computing products and services that will receive a FedRAMP
authorization, in consultation with the FedRAMP Board and the
Chief Information Officers Council.
``(c) Evaluation of Automation Procedures.--
``(1) In general.--The Administrator, in coordination with
the Secretary, shall assess and evaluate available automation
capabilities and procedures to improve the efficiency and
effectiveness of the issuance of FedRAMP authorizations,
including continuous monitoring of cloud computing products
and services.
``(2) Means for automation.--Not later than 1 year after
the date of enactment of this section, and updated regularly
thereafter, the Administrator shall establish a means for the
automation of security assessments and reviews.
``(d) Metrics for Authorization.--The Administrator shall
establish annual metrics regarding the time and quality of
the assessments necessary for completion of a FedRAMP
authorization process in a manner that can be consistently
tracked over time in conjunction with the periodic testing
and evaluation process pursuant to section 3554 in a manner
that minimizes the agency reporting burden.

``Sec. 3610. FedRAMP Board

``(a) Establishment.--There is established a FedRAMP Board
to provide input and recommendations to the Administrator
regarding the requirements and guidelines for, and the
prioritization of, security assessments of cloud computing
products and services.
``(b) Membership.--The FedRAMP Board shall consist of not
more than 7 senior officials or experts from agencies
appointed by the Director, in consultation with the
Administrator, from each of the following:
``(1) The Department of Defense.
``(2) The Department of Homeland Security.
``(3) The General Services Administration.
``(4) Such other agencies as determined by the Director, in
consultation with the Administrator.
``(c) Qualifications.--Members of the FedRAMP Board
appointed under subsection (b) shall have technical expertise
in domains relevant to FedRAMP, such as--
``(1) cloud computing;
``(2) cybersecurity;
``(3) privacy;
``(4) risk management; and
``(5) other competencies identified by the Director to
support the secure authorization of cloud services and
products.
``(d) Duties.--The FedRAMP Board shall--
``(1) in consultation with the Administrator, serve as a
resource for best practices to accelerate the process for
obtaining a FedRAMP authorization;
``(2) establish and regularly update requirements and
guidelines for security authorizations of cloud computing
products and services, consistent with standards and
guidelines established by the Director of the National
Institute of Standards and Technology, to be used in the
determination of FedRAMP authorizations;
``(3) monitor and oversee, to the greatest extent
practicable, the processes and procedures by which agencies
determine and validate requirements for a FedRAMP
authorization, including periodic review of the agency
determinations described in section 3613(b);
``(4) ensure consistency and transparency between agencies
and cloud service providers in a manner that minimizes
confusion and engenders trust; and
``(5) perform such other roles and responsibilities as the
Director may assign, with concurrence from the Administrator.
``(e) Determinations of Demand for Cloud Computing Products
and Services.--The FedRAMP Board may consult with the Chief
Information Officers Council to establish a process, which
may be made available on the website maintained under section
3609(b), for prioritizing and accepting the cloud computing
products and services to be granted a FedRAMP authorization.

``Sec. 3611. Independent assessment

``The Administrator may determine whether FedRAMP may use
an independent assessment service to analyze, validate, and
attest to the quality and compliance of security assessment
materials provided by cloud service providers during the
course of a determination of whether to use a cloud computing
product or service.

``Sec. 3612. Declaration of foreign interests

``(a) In General.--An independent assessment service that
performs services described in section 3611 shall annually
submit to the Administrator information relating to any
foreign interest, foreign influence, or foreign control of
the independent assessment service.
``(b) Updates.--Not later than 48 hours after there is a
change in foreign ownership or control of an independent
assessment service that performs services described in
section 3611, the independent assessment service shall submit
to the Administrator an update to the information submitted
under subsection (a).
``(c) Certification.--The Administrator may require a
representative of an independent assessment service to
certify the accuracy and completeness of any information
submitted under this section.

``Sec. 3613. Roles and responsibilities of agencies

``(a) In General.--In implementing the requirements of
FedRAMP, the head of each agency shall, consistent with
guidance issued by the Director pursuant to section 3614--
``(1) promote the use of cloud computing products and
services that meet FedRAMP security requirements and other
risk-based performance requirements as determined by the
Director, in consultation with the Secretary;
``(2) confirm whether there is a FedRAMP authorization in
the secure mechanism provided under section 3609(a)(8) before
beginning the process of granting a FedRAMP authorization for
a cloud computing product or service;
``(3) to the extent practicable, for any cloud computing
product or service the agency seeks to authorize that has
received a FedRAMP authorization, use the existing
assessments of security controls and materials within any
FedRAMP authorization package for that cloud computing
product or service; and
``(4) provide to the Director data and information required
by the Director pursuant to section 3614 to determine how
agencies are meeting metrics established by the
Administrator.
``(b) Attestation.--Upon completing an assessment or
authorization activity with respect to a particular cloud
computing product or service, if an agency determines that
the information and data the agency has reviewed under
paragraph (2) or (3) of subsection (a) is wholly or
substantially deficient for the purposes of performing an
authorization of the cloud computing product

[[Page H8138]]

or service, the head of the agency shall document as part of
the resulting FedRAMP authorization package the reasons for
this determination.
``(c) Submission of Authorizations to Operate Required.--
Upon issuance of an agency authorization to operate based on
a FedRAMP authorization, the head of the agency shall provide
a copy of its authorization to operate letter and any
supplementary information required pursuant to section
3609(a) to the Administrator.
``(d) Submission of Policies Required.--Not later than 180
days after the date on which the Director issues guidance in
accordance with section 3614(1), the head of each agency,
acting through the chief information officer of the agency,
shall submit to the Director all agency policies relating to
the authorization of cloud computing products and services.
``(e) Presumption of Adequacy.--
``(1) In general.--The assessment of security controls and
materials within the authorization package for a FedRAMP
authorization shall be presumed adequate for use in an agency
authorization to operate cloud computing products and
services.
``(2) Information security requirements.--The presumption
under paragraph (1) does not modify or alter--
``(A) the responsibility of any agency to ensure compliance
with subchapter II of chapter 35 for any cloud computing
product or service used by the agency; or
``(B) the authority of the head of any agency to make a
determination that there is a demonstrable need for
additional security requirements beyond the security
requirements included in a FedRAMP authorization for a
particular control implementation.

``Sec. 3614. Roles and responsibilities of the Office of
Management and Budget

``The Director shall--
``(1) in consultation with the Administrator and the
Secretary, issue guidance that--
``(A) specifies the categories or characteristics of cloud
computing products and services that are within the scope of
FedRAMP;
``(B) includes requirements for agencies to obtain a
FedRAMP authorization when operating a cloud computing
product or service described in subparagraph (A) as a Federal
information system; and
``(C) encompasses, to the greatest extent practicable, all
necessary and appropriate cloud computing products and
services;
``(2) issue guidance describing additional responsibilities
of FedRAMP and the FedRAMP Board to accelerate the adoption
of secure cloud computing products and services by the
Federal Government;
``(3) in consultation with the Administrator, establish a
process to periodically review FedRAMP authorization packages
to support the secure authorization and reuse of secure cloud
products and services;
``(4) oversee the effectiveness of FedRAMP and the FedRAMP
Board, including the compliance by the FedRAMP Board with the
duties described in section 3610(d); and
``(5) to the greatest extent practicable, encourage and
promote consistency of the assessment, authorization,
adoption, and use of secure cloud computing products and
services within and across agencies.

``Sec. 3615. Reports to Congress; GAO report

``(a) Reports to Congress.--Not later than 1 year after the
date of enactment of this section, and annually thereafter,
the Director shall submit to the appropriate congressional
committees a report that includes the following:
``(1) During the preceding year, the status, efficiency,
and effectiveness of the General Services Administration
under section 3609 and agencies under section 3613 and in
supporting the speed, effectiveness, sharing, reuse, and
security of authorizations to operate for secure cloud
computing products and services.
``(2) Progress towards meeting the metrics required under
section 3609(d).
``(3) Data on FedRAMP authorizations.
``(4) The average length of time to issue FedRAMP
authorizations.
``(5) The number of FedRAMP authorizations submitted,
issued, and denied for the preceding year.
``(6) A review of progress made during the preceding year
in advancing automation techniques to securely automate
FedRAMP processes and to accelerate reporting under this
section.
``(7) The number and characteristics of authorized cloud
computing products and services in use at each agency
consistent with guidance provided by the Director under
section 3614.
``(8) A review of FedRAMP measures to ensure the security
of data stored or processed by cloud service providers, which
may include--
``(A) geolocation restrictions for provided products or
services;
``(B) disclosures of foreign elements of supply chains of
acquired products or services;
``(C) continued disclosures of ownership of cloud service
providers by foreign entities; and
``(D) encryption for data processed, stored, or transmitted
by cloud service providers.
``(b) GAO Report.--Not later than 180 days after the date
of enactment of this section, the Comptroller General of the
United States shall report to the appropriate congressional
committees an assessment of the following:
``(1) The costs incurred by agencies and cloud service
providers relating to the issuance of FedRAMP authorizations.
``(2) The extent to which agencies have processes in place
to continuously monitor the implementation of cloud computing
products and services operating as Federal information
systems.
``(3) How often and for which categories of products and
services agencies use FedRAMP authorizations.
``(4) The unique costs and potential burdens incurred by
cloud computing companies that are small business concerns
(as defined in section 3(a) of the Small Business Act (15
U.S.C. 632(a)) as a part of the FedRAMP authorization
process.

``Sec. 3616. Federal Secure Cloud Advisory Committee

``(a) Establishment, Purposes, and Duties.--
``(1) Establishment.--There is established a Federal Secure
Cloud Advisory Committee (referred to in this section as the
`Committee') to ensure effective and ongoing coordination of
agency adoption, use, authorization, monitoring, acquisition,
and security of cloud computing products and services to
enable agency mission and administrative priorities.
``(2) Purposes.--The purposes of the Committee are the
following:
``(A) To examine the operations of FedRAMP and determine
ways that authorization processes can continuously be
improved, including the following:
``(i) Measures to increase agency reuse of FedRAMP
authorizations.
``(ii) Proposed actions that can be adopted to reduce the
burden, confusion, and cost associated with FedRAMP
authorizations for cloud service providers.
``(iii) Measures to increase the number of FedRAMP
authorizations for cloud computing products and services
offered by small businesses concerns (as defined by section
3(a) of the Small Business Act (15 U.S.C. 632(a)).
``(iv) Proposed actions that can be adopted to reduce the
burden and cost of FedRAMP authorizations for agencies.
``(B) Collect information and feedback on agency compliance
with and implementation of FedRAMP requirements.
``(C) Serve as a forum that facilitates communication and
collaboration among the FedRAMP stakeholder community.
``(3) Duties.--The duties of the Committee include
providing advice and recommendations to the Administrator,
the FedRAMP Board, and agencies on technical, financial,
programmatic, and operational matters regarding secure
adoption of cloud computing products and services.
``(b) Members.--
``(1) Composition.--The Committee shall be comprised of not
more than 15 members who are qualified representatives from
the public and private sectors, appointed by the
Administrator, in consultation with the Director, as follows:
``(A) The Administrator or the Administrator's designee,
who shall be the Chair of the Committee.
``(B) At least 1 representative each from the Cybersecurity
and Infrastructure Security Agency and the National Institute
of Standards and Technology.
``(C) At least 2 officials who serve as the Chief
Information Security Officer within an agency, who shall be
required to maintain such a position throughout the duration
of their service on the Committee.
``(D) At least 1 official serving as Chief Procurement
Officer (or equivalent) in an agency, who shall be required
to maintain such a position throughout the duration of their
service on the Committee.
``(E) At least 1 individual representing an independent
assessment service.
``(F) At least 5 representatives from unique businesses
that primarily provide cloud computing services or products,
including at least 2 representatives from a small business
concern (as defined by section 3(a) of the Small Business Act
(15 U.S.C. 632(a))).
``(G) At least 2 other representatives of the Federal
Government as the Administrator determines necessary to
provide sufficient balance, insights, or expertise to the
Committee.
``(2) Deadline for appointment.--Each member of the
Committee shall be appointed not later than 90 days after the
date of enactment of this section.
``(3) Period of appointment; vacancies.--
``(A) In general.--Each non-Federal member of the Committee
shall be appointed for a term of 3 years, except that the
initial terms for members may be staggered 1-, 2-, or 3-year
terms to establish a rotation in which one-third of the
members are selected each year. Any such member may be
appointed for not more than 2 consecutive terms.
``(B) Vacancies.--Any vacancy in the Committee shall not
affect its powers, but shall be filled in the same manner in
which the original appointment was made. Any member appointed
to fill a vacancy occurring before the expiration of the term
for which the member's predecessor was appointed shall be
appointed only for the remainder of that term. A member may
serve after the expiration of that member's term until a
successor has taken office.
``(c) Meetings and Rules of Procedures.--
``(1) Meetings.--The Committee shall hold not fewer than 3
meetings in a calendar year, at such time and place as
determined by the Chair.

[[Page H8139]]

``(2) Initial meeting.--Not later than 120 days after the
date of enactment of this section, the Committee shall meet
and begin the operations of the Committee.
``(3) Rules of procedure.--The Committee may establish
rules for the conduct of the business of the Committee if
such rules are not inconsistent with this section or other
applicable law.
``(d) Employee Status.--
``(1) In general.--A member of the Committee (other than a
member who is appointed to the Committee in connection with
another Federal appointment) shall not be considered an
employee of the Federal Government by reason of any service
as such a member, except for the purposes of section 5703 of
title 5, relating to travel expenses.
``(2) Pay not permitted.--A member of the Committee covered
by paragraph (1) may not receive pay by reason of service on
the Committee.
``(e) Applicability to the Federal Advisory Committee
Act.--Section 14 of the Federal Advisory Committee Act (5
U.S.C. App.) shall not apply to the Committee.
``(f) Detail of Employees.--Any Federal Government employee
may be detailed to the Committee without reimbursement from
the Committee, and such detailee shall retain the rights,
status, and privileges of his or her regular employment
without interruption.
``(g) Postal Services.--The Committee may use the United
States mails in the same manner and under the same conditions
as agencies.
``(h) Reports.--
``(1) Interim reports.--The Committee may submit to the
Administrator and Congress interim reports containing such
findings, conclusions, and recommendations as have been
agreed to by the Committee.
``(2) Annual reports.--Not later than 540 days after the
date of enactment of this section, and annually thereafter,
the Committee shall submit to the Administrator and Congress
a report containing such findings, conclusions, and
recommendations as have been agreed to by the Committee.''.
(b) Technical and Conforming Amendment.--The table of
sections for chapter 36 of title 44, United States Code, is
amended by adding at the end the following new items:

``3607. Definitions.
``3608. Federal Risk and Authorization Management Program.
``3609. Roles and responsibilities of the General Services
Administration.
``3610. FedRAMP Board.
``3611. Independent assessment.
``3612. Declaration of foreign interests.
``3613. Roles and responsibilities of agencies.
``3614. Roles and responsibilities of the Office of Management and
Budget.
``3615. Reports to Congress; GAO report.
``3616. Federal Secure Cloud Advisory Committee.''.
(c) Sunset.--
(1) In general.--Effective on the date that is 5 years
after the date of enactment of this Act, chapter 36 of title
44, United States Code, is amended by striking sections 3607
through 3616.
(2) Conforming amendment.--Effective on the date that is 5
years after the date of enactment of this Act, the table of
sections for chapter 36 of title 44, United States Code, is
amended by striking the items relating to sections 3607
through 3616.
(d) Rule of Construction.--Nothing in this section or any
amendment made by this section shall be construed as altering
or impairing the authorities of the Director of the Office of
Management and Budget or the Secretary of Homeland Security
under subchapter II of chapter 35 of title 44, United States
Code.

The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
New York (Mrs. Carolyn B. Maloney) and the gentleman from Kentucky (Mr.
Comer) each will control 20 minutes.
The Chair recognizes the gentlewoman from New York.

General Leave

Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I ask unanimous
consent that all Members may have 5 legislative days in which to revise
and extend their remarks and include extraneous material on the measure
before us.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from New York?
There was no objection.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself such
time as I may consume.
Mr. Speaker, I thank Representative Connolly, the chairman of the
Subcommittee on Government Operations, and Ranking Member Comer for
working on this important bipartisan measure.
A version of this bill passed this House earlier in this Congress. It
has been improved after receiving technical assistance from the General
Services Administration and through discussions with the Senate
Committee on Homeland Security and Governmental Affairs.
The Federal Risk and Authorization Management Program Authorization
Act would codify and improve the existing FedRAMP program in the
General Services Administration.
First established in 2011, FedRAMP is an important program that
certifies cloud service providers that wish to offer services and
products to the Federal Government.
The FedRAMP certification process outlined in this bill is
comprehensive, facilitates easier agency adoption, promotes agency
reuse, and encourages savings.
The FedRAMP process uses a risk-based approach to ensure the
reliability of any cloud platform that hosts unclassified government
data.

{time} 1445

One significant provision of this bill is the Federal Secure Cloud
Advisory Committee. This committee would be tasked with key
responsibilities, including providing technical expertise on cloud
products and services and identifying ways to reduce costs associated
with FedRAMP certification.
The Director of the Office of Management and Budget would be required
to issue regulations on FedRAMP and would ensure that agencies are not
using cloud service providers without authorization.
This bill supports a critical effort to keep our Nation's information
secure in cloud environments. I urge all Members to support this bill
and reserve the balance of my time.
Mr. COMER. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, if this bill sounds familiar to Members, there is good
reason for that. Once again, the House of Representatives is debating a
bipartisan bill to secure Federal agency use of modern cloud computing
services.
However, this time we are doing it as H.R. 8956, the Federal Secure
Cloud Improvement and Jobs Act. Formerly named the FedRAMP
Authorization Act, this was the first bill the House passed this
Congress, as H.R. 21, on January 5, 2021.
We also passed the same legislation as part of this year's House
version of the National Defense Authorization Act.
This is such an important issue that we are here again to send an
improved bill back to the Senate for final passage.
Cybersecurity and technology modernization are both vital issues to
ensure this government runs efficiently, effectively, and safely. We
need this legislation to address the continued onslaught of
cyberattacks that have compromised both the private and public sectors'
critical information systems.
Cloud computing is an important innovation.
It allows users to tap into extra resources to meet spikes in demand,
like what agencies saw when trying to deliver COVID-relief assistance.
It also allows them to access modernized applications without the
need for them to also invest in their own data storage equipment.
While cloud computing is the norm in the private sector, we still
need to encourage agencies to adopt this technology when it makes
sense. We also must ensure cloud computing services are secure. That is
where the Federal Risk and Authorization Management Program comes in.
FedRAMP, run by the General Services Administration, is the main
Federal program focused on helping agencies procure secure cloud
computing systems. It provides a consistent process to ensure agencies
know a given cloud service meets Federal cybersecurity standards. It
also provides clarity for vendors, so they understand the requirements
to ensure their products are secure enough for Federal agency use.
Shifting to the cloud is more cost effective, allows for better
citizen services and mission-based solutions, and provides more
responsive technology capabilities overall. These improved efficiencies
have led to significant cost savings.
At the end of fiscal year 2021, the GSA estimated that over the
FedRAMP program's 10-year lifespan, it had helped agencies avoid $716
million in individual security review costs. So while agencies are not
required to buy FedRAMP-approved services, it makes sense to encourage
them to do so.
After passing the earlier version, H.R. 21, the Senate also made
changes that improved the bill we are considering today.

[[Page H8140]]

Such updates include striking the unnecessary authorization of $20
million in appropriations and requiring better oversight of the
industry costs associated with becoming FedRAMP certified. This will
help ensure both small and large businesses can participate in the
program.
In addition, this version also seeks to identify and avoid
bottlenecks that slow approval. It also takes steps to secure the
software supply chain from threats by foreign bad actors, the likely
source of the 2020 SolarWinds attack that targeted numerous private
sector companies and Federal agencies.
Codifying this successful program into law is an important step
towards encouraging Federal agencies to take full advantage of this
program and all the security benefits it offers.
Mr. Speaker, I urge my colleagues to support this bill, and I reserve
the balance of my time.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield 5 minutes
to the gentleman from Virginia (Mr. Connolly), the distinguished
chairman of the Subcommittee on Government Operations and sponsor of
this important bill, H.R. 8956.
Mr. CONNOLLY. Mr. Speaker, I thank the gentlewoman from New York
(Mrs. Carolyn B. Maloney), the distinguished chairwoman of the
committee and my friend, and I thank the gentleman from Kentucky (Mr.
Comer), the distinguished ranking member and my friend for bringing
this bill to the floor.
With respect to Mr. Comer's comments, I just say, ``Hear, hear.'' He
has succinctly explained both the process and the importance of this
bill.
This is the sixth time the House will have passed this bill in some
form. The Senate has yet to ever consider it on the floor. As Mr. Comer
indicated, the time has now come for the Senate to accept a bill that
has been worked out with the Senate in terms of the language so that we
can get this important piece of Federal IT into law.
This bill would create a statutory framework for the Federal Risk and
Authorization Management Program, known as FedRAMP, originally
established administratively back in 2011. This bill will codify
FedRAMP and was the very first bill, as Mr. Comer indicated, to pass
the House in the 117th Congress. It passed, I believe, unanimously.
If once again passed, this will be, as I said, I believe, the sixth
time we have considered it here in the House of Representatives.
FedRAMP is a standardized approach that brings our government in line
with our increasingly digital world to continually certify and assess
the security of cloud computing technologies used across the Federal
Government.
FedRAMP seeks to reduce the redundancies of Federal cloud migration
by creating a ``certify once, reuse many times'' model for cloud
products and services that provide cost-effective, risk-based
approaches to cloud adoption. FedRAMP saw a 50 percent increase in
agencies reusing authorized cloud products in 2020.
This bill codifies FedRAMP and addresses many of the concerns raised
by government and industry stakeholders in terms of both the time and
cost associated with certification. The text reduces duplication of
security assessments and other obstacles to agency adoption of cloud
products by establishing a presumption of adequacy for cloud
technologies that have already received FedRAMP certification, so
companies aren't reinventing the wheel and spending millions of dollars
they don't need to.
I support a strong cybersecurity framework that ensures whatever tool
we use to support the infrastructure of our Federal critical systems is
safe and secure. Again, referenced by Mr. Comer. However, those who
have already diligently passed scrupulous security assessments
shouldn't have to start from scratch, and this bill addresses that.
For more than 5 years, I have worked with administrations, both
Democratic and Republican, Members on the other side of the aisle,
industry stakeholders, and my friends in the U.S. Senate to ensure the
legislative text makes needed improvements to the FedRAMP program and
gives the program flexibility to grow and adapt to myriad future
changes.
Since the coronavirus pandemic, the demand for cloud services has
risen by 85 percent. Accordingly, FedRAMP use skyrocketed and enabled
the government to continue working securely during the government's
large-scale movement to telework.
In the first 4 years of FedRAMP, the program had only authorized 20
cloud service offerings, but by 2021 it had authorized 240. Today,
there are over 280 cloud service providers to the U.S. Government
participating in FedRAMP, and about 30 percent of FedRAMP authorized
CSPs are small businesses. Over 180 agencies participate in FedRAMP and
have initiated more than 3,000 agency reuses of authorized products.
Today, the Agency Liaison Program, which provides FedRAMP
authorization, education, and training currently has 155 liaisons with
82 different Federal Government departments participating.
Ultimately, this program strives to have at least one representative
from each Federal agency tied to the security authorization who can
communicate to key stakeholders about their agency's internal processes
as well as FedRAMP requirements.
The bill supports a critical need to support multistakeholder
communication and keep our Nation's information secure in cloud
environments.
Enabling the efficient and secure procurement of cloud computing
technology is an important part of Federal IT modernization. Codifying
FedRAMP into law is very important because right now it exists as an
orphan only by an executive action.
I thank the gentleman from Kentucky (Mr. Comer), the ranking member
of the Oversight and Reform Committee, for being a steadfast partner,
and I thank our chairwoman for her leadership.
Mr. COMER. Mr. Speaker, I yield myself the balance of my time to
close.
Mr. Speaker, protecting our public's valuable information is
something we can all agree on. I hope we can continue to do our job and
work together on improving the Federal Government cybersecurity and
adoption of modern technology.
Mr. Speaker, I encourage my colleagues to support this bill, and I
yield back the balance of my time.
Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself the
balance of my time to close.
Mr. Speaker, I urge passage of H.R. 8956 and yield back the balance
of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from New York (Mrs. Carolyn B. Maloney) that the House
suspend the rules and pass the bill, H.R. 8956.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. HICE of Georgia. Mr. Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.

____________________