[Congressional Record Volume 168, Number 157 (Wednesday, September 28, 2022)]
[House]
[Pages H8136-H8140]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                       FEDRAMP AUTHORIZATION ACT

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I move to suspend 
the rules and pass the bill (H.R. 8956) to amend chapter 36 of title 
44, United States Code, to improve the cybersecurity of the Federal 
Government, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 8956

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``FedRAMP Authorization Act''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) Ensuring that the Federal Government can securely 
     leverage cloud computing products and services is key to 
     expediting the modernization of legacy information technology 
     systems, increasing cybersecurity within and across 
     departments and agencies, and supporting the continued 
     leadership of the United States in technology innovation and 
     job creation.
       (2) According to independent analysis, as of calendar year 
     2019, the size of the cloud computing market had tripled 
     since 2004, enabling more than 2,000,000 jobs and adding more 
     than $200,000,000,000 to the gross domestic product of the 
     United States.
       (3) The Federal Government, across multiple presidential 
     administrations and Congresses, has continued to support the 
     ability of agencies to move to the cloud, including through--
       (A) President Barack Obama's ``Cloud First Strategy'';
       (B) President Donald Trump's ``Cloud Smart Strategy'';
       (C) the prioritization of cloud security in Executive Order 
     14028 (86 Fed. Reg. 26633; relating to improving the nation's 
     cybersecurity), which was issued by President Joe Biden; and
       (D) more than a decade of appropriations and authorization 
     legislation that provides agencies with relevant authorities 
     and appropriations to modernize on-premises information 
     technology systems and more readily adopt cloud computing 
     products and services.
       (4) Since it was created in 2011, the Federal Risk and 
     Authorization Management Program (referred to in this section 
     as ``FedRAMP'') at the General Services Administration has 
     made steady and sustained improvements in supporting the 
     secure authorization and reuse of cloud computing products 
     and services within the Federal Government, including by 
     reducing the costs and burdens on both agencies and cloud 
     companies to quickly and securely enter the Federal market.
       (5) According to data from the General Services 
     Administration, as of the end of fiscal year 2021, there were 
     239 cloud providers with FedRAMP authorizations, and those 
     authorizations had been reused more than 2,700 times across 
     various agencies.
       (6) Providing a legislative framework for FedRAMP and new 
     authorities to the General Services Administration, the 
     Office of Management and Budget, and Federal agencies will--
       (A) improve the speed at which new cloud computing products 
     and services can be securely authorized;
       (B) enhance the ability of agencies to effectively evaluate 
     FedRAMP authorized providers for reuse;
       (C) reduce the costs and burdens to cloud providers seeking 
     a FedRAMP authorization; and
       (D) provide for more robust transparency and dialogue 
     between industry and the Federal Government to drive stronger 
     adoption of secure cloud capabilities, create jobs, and 
     reduce wasteful legacy information technology.

     SEC. 3. TITLE 44 AMENDMENTS.

       (a) Amendment.--Chapter 36 of title 44, United States Code, 
     is amended by adding at the end the following:

     ``Sec. 3607. Definitions

       ``(a) In General.--Except as provided under subsection (b), 
     the definitions under sections 3502 and 3552 apply to this 
     section through section 3616.
       ``(b) Additional Definitions.--In this section through 
     section 3616:
       ``(1) Administrator.--The term `Administrator' means the 
     Administrator of General Services.
       ``(2) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Oversight and Reform of the House of 
     Representatives.
       ``(3) Authorization to operate; federal information.--The 
     terms `authorization to operate' and `Federal information' 
     have the meaning given those term in Circular A-130 of the 
     Office of Management and Budget entitled `Managing 
     Information as a Strategic Resource', or any successor 
     document.
       ``(4) Cloud computing.--The term `cloud computing' has the 
     meaning given the term in Special Publication 800-145 of the 
     National Institute of Standards and Technology, or any 
     successor document.
       ``(5) Cloud service provider.--The term `cloud service 
     provider' means an entity offering cloud computing products 
     or services to agencies.
       ``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk 
     and Authorization Management Program established under 
     section 3608.
       ``(7) FedRAMP authorization.--The term `FedRAMP 
     authorization' means a certification that a cloud computing 
     product or service has--
       ``(A) completed a FedRAMP authorization process, as 
     determined by the Administrator; or
       ``(B) received a FedRAMP provisional authorization to 
     operate, as determined by the FedRAMP Board.
       ``(8) Fedramp authorization package.--The term `FedRAMP 
     authorization package' means the essential information that 
     can be used by an agency to determine whether to authorize 
     the operation of an information system or the use of a 
     designated set of common controls for all cloud computing 
     products and services authorized by FedRAMP.
       ``(9) FedRAMP board.--The term `FedRAMP Board' means the 
     board established under section 3610.
       ``(10) Independent assessment service.--The term 
     `independent assessment service' means a third-party 
     organization accredited by the Administrator to undertake 
     conformity assessments of cloud service providers and the 
     products or services of cloud service providers.
       ``(11) Secretary.--The term `Secretary' means the Secretary 
     of Homeland Security.

     ``Sec. 3608. Federal Risk and Authorization Management 
       Program

       ``There is established within the General Services 
     Administration the Federal Risk and Authorization Management 
     Program. The Administrator, subject to section 3614, shall 
     establish a Government-wide program that provides a 
     standardized, reusable approach to security assessment and 
     authorization for cloud computing products and services that 
     process unclassified information used by agencies.

     ``Sec. 3609. Roles and responsibilities of the General 
       Services Administration

       ``(a) Roles and Responsibilities.--The Administrator 
     shall--

[[Page H8137]]

       ``(1) in consultation with the Secretary, develop, 
     coordinate, and implement a process to support agency review, 
     reuse, and standardization, where appropriate, of security 
     assessments of cloud computing products and services, 
     including, as appropriate, oversight of continuous monitoring 
     of cloud computing products and services, pursuant to 
     guidance issued by the Director pursuant to section 3614;
       ``(2) establish processes and identify criteria consistent 
     with guidance issued by the Director under section 3614 to 
     make a cloud computing product or service eligible for a 
     FedRAMP authorization and validate whether a cloud computing 
     product or service has a FedRAMP authorization;
       ``(3) develop and publish templates, best practices, 
     technical assistance, and other materials to support the 
     authorization of cloud computing products and services and 
     increase the speed, effectiveness, and transparency of the 
     authorization process, consistent with standards and 
     guidelines established by the Director of the National 
     Institute of Standards and Technology and relevant statutes;
       ``(4) establish and update guidance on the boundaries of 
     FedRAMP authorization packages to enhance the security and 
     protection of Federal information and promote transparency 
     for agencies and users as to which services are included in 
     the scope of a FedRAMP authorization;
       ``(5) grant FedRAMP authorizations to cloud computing 
     products and services consistent with the guidance and 
     direction of the FedRAMP Board;
       ``(6) establish and maintain a public comment process for 
     proposed guidance and other FedRAMP directives that may have 
     a direct impact on cloud service providers and agencies 
     before the issuance of such guidance or other FedRAMP 
     directives;
       ``(7) coordinate with the FedRAMP Board, the Director of 
     the Cybersecurity and Infrastructure Security Agency, and 
     other entities identified by the Administrator, with the 
     concurrence of the Director and the Secretary, to establish 
     and regularly update a framework for continuous monitoring 
     under section 3553;
       ``(8) provide a secure mechanism for storing and sharing 
     necessary data, including FedRAMP authorization packages, to 
     enable better reuse of such packages across agencies, 
     including making available any information and data necessary 
     for agencies to fulfill the requirements of section 3613;
       ``(9) provide regular updates to applicant cloud service 
     providers on the status of any cloud computing product or 
     service during an assessment process;
       ``(10) regularly review, in consultation with the FedRAMP 
     Board--
       ``(A) the costs associated with the independent assessment 
     services described in section 3611; and
       ``(B) the information relating to foreign interests 
     submitted pursuant to section 3612;
       ``(11) in coordination with the Director of the National 
     Institute of Standards and Technology, the Director, the 
     Secretary, and other stakeholders, as appropriate, determine 
     the sufficiency of underlying standards and requirements to 
     identify and assess the provenance of the software in cloud 
     services and products;
       ``(12) support the Federal Secure Cloud Advisory Committee 
     established pursuant to section 3616; and
       ``(13) take such other actions as the Administrator may 
     determine necessary to carry out FedRAMP.
       ``(b) Website.--
       ``(1) In general.--The Administrator shall maintain a 
     public website to serve as the authoritative repository for 
     FedRAMP, including the timely publication and updates for all 
     relevant information, guidance, determinations, and other 
     materials required under subsection (a).
       ``(2) Criteria and process for fedramp authorization 
     priorities.--The Administrator shall develop and make 
     publicly available on the website described in paragraph (1) 
     the criteria and process for prioritizing and selecting cloud 
     computing products and services that will receive a FedRAMP 
     authorization, in consultation with the FedRAMP Board and the 
     Chief Information Officers Council.
       ``(c) Evaluation of Automation Procedures.--
       ``(1) In general.--The Administrator, in coordination with 
     the Secretary, shall assess and evaluate available automation 
     capabilities and procedures to improve the efficiency and 
     effectiveness of the issuance of FedRAMP authorizations, 
     including continuous monitoring of cloud computing products 
     and services.
       ``(2) Means for automation.--Not later than 1 year after 
     the date of enactment of this section, and updated regularly 
     thereafter, the Administrator shall establish a means for the 
     automation of security assessments and reviews.
       ``(d) Metrics for Authorization.--The Administrator shall 
     establish annual metrics regarding the time and quality of 
     the assessments necessary for completion of a FedRAMP 
     authorization process in a manner that can be consistently 
     tracked over time in conjunction with the periodic testing 
     and evaluation process pursuant to section 3554 in a manner 
     that minimizes the agency reporting burden.

     ``Sec. 3610. FedRAMP Board

       ``(a) Establishment.--There is established a FedRAMP Board 
     to provide input and recommendations to the Administrator 
     regarding the requirements and guidelines for, and the 
     prioritization of, security assessments of cloud computing 
     products and services.
       ``(b) Membership.--The FedRAMP Board shall consist of not 
     more than 7 senior officials or experts from agencies 
     appointed by the Director, in consultation with the 
     Administrator, from each of the following:
       ``(1) The Department of Defense.
       ``(2) The Department of Homeland Security.
       ``(3) The General Services Administration.
       ``(4) Such other agencies as determined by the Director, in 
     consultation with the Administrator.
       ``(c) Qualifications.--Members of the FedRAMP Board 
     appointed under subsection (b) shall have technical expertise 
     in domains relevant to FedRAMP, such as--
       ``(1) cloud computing;
       ``(2) cybersecurity;
       ``(3) privacy;
       ``(4) risk management; and
       ``(5) other competencies identified by the Director to 
     support the secure authorization of cloud services and 
     products.
       ``(d) Duties.--The FedRAMP Board shall--
       ``(1) in consultation with the Administrator, serve as a 
     resource for best practices to accelerate the process for 
     obtaining a FedRAMP authorization;
       ``(2) establish and regularly update requirements and 
     guidelines for security authorizations of cloud computing 
     products and services, consistent with standards and 
     guidelines established by the Director of the National 
     Institute of Standards and Technology, to be used in the 
     determination of FedRAMP authorizations;
       ``(3) monitor and oversee, to the greatest extent 
     practicable, the processes and procedures by which agencies 
     determine and validate requirements for a FedRAMP 
     authorization, including periodic review of the agency 
     determinations described in section 3613(b);
       ``(4) ensure consistency and transparency between agencies 
     and cloud service providers in a manner that minimizes 
     confusion and engenders trust; and
       ``(5) perform such other roles and responsibilities as the 
     Director may assign, with concurrence from the Administrator.
       ``(e) Determinations of Demand for Cloud Computing Products 
     and Services.--The FedRAMP Board may consult with the Chief 
     Information Officers Council to establish a process, which 
     may be made available on the website maintained under section 
     3609(b), for prioritizing and accepting the cloud computing 
     products and services to be granted a FedRAMP authorization.

     ``Sec. 3611. Independent assessment

       ``The Administrator may determine whether FedRAMP may use 
     an independent assessment service to analyze, validate, and 
     attest to the quality and compliance of security assessment 
     materials provided by cloud service providers during the 
     course of a determination of whether to use a cloud computing 
     product or service.

     ``Sec. 3612. Declaration of foreign interests

       ``(a) In General.--An independent assessment service that 
     performs services described in section 3611 shall annually 
     submit to the Administrator information relating to any 
     foreign interest, foreign influence, or foreign control of 
     the independent assessment service.
       ``(b) Updates.--Not later than 48 hours after there is a 
     change in foreign ownership or control of an independent 
     assessment service that performs services described in 
     section 3611, the independent assessment service shall submit 
     to the Administrator an update to the information submitted 
     under subsection (a).
       ``(c) Certification.--The Administrator may require a 
     representative of an independent assessment service to 
     certify the accuracy and completeness of any information 
     submitted under this section.

     ``Sec. 3613. Roles and responsibilities of agencies

       ``(a) In General.--In implementing the requirements of 
     FedRAMP, the head of each agency shall, consistent with 
     guidance issued by the Director pursuant to section 3614--
       ``(1) promote the use of cloud computing products and 
     services that meet FedRAMP security requirements and other 
     risk-based performance requirements as determined by the 
     Director, in consultation with the Secretary;
       ``(2) confirm whether there is a FedRAMP authorization in 
     the secure mechanism provided under section 3609(a)(8) before 
     beginning the process of granting a FedRAMP authorization for 
     a cloud computing product or service;
       ``(3) to the extent practicable, for any cloud computing 
     product or service the agency seeks to authorize that has 
     received a FedRAMP authorization, use the existing 
     assessments of security controls and materials within any 
     FedRAMP authorization package for that cloud computing 
     product or service; and
       ``(4) provide to the Director data and information required 
     by the Director pursuant to section 3614 to determine how 
     agencies are meeting metrics established by the 
     Administrator.
       ``(b) Attestation.--Upon completing an assessment or 
     authorization activity with respect to a particular cloud 
     computing product or service, if an agency determines that 
     the information and data the agency has reviewed under 
     paragraph (2) or (3) of subsection (a) is wholly or 
     substantially deficient for the purposes of performing an 
     authorization of the cloud computing product

[[Page H8138]]

     or service, the head of the agency shall document as part of 
     the resulting FedRAMP authorization package the reasons for 
     this determination.
       ``(c) Submission of Authorizations to Operate Required.--
     Upon issuance of an agency authorization to operate based on 
     a FedRAMP authorization, the head of the agency shall provide 
     a copy of its authorization to operate letter and any 
     supplementary information required pursuant to section 
     3609(a) to the Administrator.
       ``(d) Submission of Policies Required.--Not later than 180 
     days after the date on which the Director issues guidance in 
     accordance with section 3614(1), the head of each agency, 
     acting through the chief information officer of the agency, 
     shall submit to the Director all agency policies relating to 
     the authorization of cloud computing products and services.
       ``(e) Presumption of Adequacy.--
       ``(1) In general.--The assessment of security controls and 
     materials within the authorization package for a FedRAMP 
     authorization shall be presumed adequate for use in an agency 
     authorization to operate cloud computing products and 
     services.
       ``(2) Information security requirements.--The presumption 
     under paragraph (1) does not modify or alter--
       ``(A) the responsibility of any agency to ensure compliance 
     with subchapter II of chapter 35 for any cloud computing 
     product or service used by the agency; or
       ``(B) the authority of the head of any agency to make a 
     determination that there is a demonstrable need for 
     additional security requirements beyond the security 
     requirements included in a FedRAMP authorization for a 
     particular control implementation.

     ``Sec. 3614. Roles and responsibilities of the Office of 
       Management and Budget

       ``The Director shall--
       ``(1) in consultation with the Administrator and the 
     Secretary, issue guidance that--
       ``(A) specifies the categories or characteristics of cloud 
     computing products and services that are within the scope of 
     FedRAMP;
       ``(B) includes requirements for agencies to obtain a 
     FedRAMP authorization when operating a cloud computing 
     product or service described in subparagraph (A) as a Federal 
     information system; and
       ``(C) encompasses, to the greatest extent practicable, all 
     necessary and appropriate cloud computing products and 
     services;
       ``(2) issue guidance describing additional responsibilities 
     of FedRAMP and the FedRAMP Board to accelerate the adoption 
     of secure cloud computing products and services by the 
     Federal Government;
       ``(3) in consultation with the Administrator, establish a 
     process to periodically review FedRAMP authorization packages 
     to support the secure authorization and reuse of secure cloud 
     products and services;
       ``(4) oversee the effectiveness of FedRAMP and the FedRAMP 
     Board, including the compliance by the FedRAMP Board with the 
     duties described in section 3610(d); and
       ``(5) to the greatest extent practicable, encourage and 
     promote consistency of the assessment, authorization, 
     adoption, and use of secure cloud computing products and 
     services within and across agencies.

     ``Sec. 3615. Reports to Congress; GAO report

       ``(a) Reports to Congress.--Not later than 1 year after the 
     date of enactment of this section, and annually thereafter, 
     the Director shall submit to the appropriate congressional 
     committees a report that includes the following:
       ``(1) During the preceding year, the status, efficiency, 
     and effectiveness of the General Services Administration 
     under section 3609 and agencies under section 3613 and in 
     supporting the speed, effectiveness, sharing, reuse, and 
     security of authorizations to operate for secure cloud 
     computing products and services.
       ``(2) Progress towards meeting the metrics required under 
     section 3609(d).
       ``(3) Data on FedRAMP authorizations.
       ``(4) The average length of time to issue FedRAMP 
     authorizations.
       ``(5) The number of FedRAMP authorizations submitted, 
     issued, and denied for the preceding year.
       ``(6) A review of progress made during the preceding year 
     in advancing automation techniques to securely automate 
     FedRAMP processes and to accelerate reporting under this 
     section.
       ``(7) The number and characteristics of authorized cloud 
     computing products and services in use at each agency 
     consistent with guidance provided by the Director under 
     section 3614.
       ``(8) A review of FedRAMP measures to ensure the security 
     of data stored or processed by cloud service providers, which 
     may include--
       ``(A) geolocation restrictions for provided products or 
     services;
       ``(B) disclosures of foreign elements of supply chains of 
     acquired products or services;
       ``(C) continued disclosures of ownership of cloud service 
     providers by foreign entities; and
       ``(D) encryption for data processed, stored, or transmitted 
     by cloud service providers.
       ``(b) GAO Report.--Not later than 180 days after the date 
     of enactment of this section, the Comptroller General of the 
     United States shall report to the appropriate congressional 
     committees an assessment of the following:
       ``(1) The costs incurred by agencies and cloud service 
     providers relating to the issuance of FedRAMP authorizations.
       ``(2) The extent to which agencies have processes in place 
     to continuously monitor the implementation of cloud computing 
     products and services operating as Federal information 
     systems.
       ``(3) How often and for which categories of products and 
     services agencies use FedRAMP authorizations.
       ``(4) The unique costs and potential burdens incurred by 
     cloud computing companies that are small business concerns 
     (as defined in section 3(a) of the Small Business Act (15 
     U.S.C. 632(a)) as a part of the FedRAMP authorization 
     process.

     ``Sec. 3616. Federal Secure Cloud Advisory Committee

       ``(a) Establishment, Purposes, and Duties.--
       ``(1) Establishment.--There is established a Federal Secure 
     Cloud Advisory Committee (referred to in this section as the 
     `Committee') to ensure effective and ongoing coordination of 
     agency adoption, use, authorization, monitoring, acquisition, 
     and security of cloud computing products and services to 
     enable agency mission and administrative priorities.
       ``(2) Purposes.--The purposes of the Committee are the 
     following:
       ``(A) To examine the operations of FedRAMP and determine 
     ways that authorization processes can continuously be 
     improved, including the following:
       ``(i) Measures to increase agency reuse of FedRAMP 
     authorizations.
       ``(ii) Proposed actions that can be adopted to reduce the 
     burden, confusion, and cost associated with FedRAMP 
     authorizations for cloud service providers.
       ``(iii) Measures to increase the number of FedRAMP 
     authorizations for cloud computing products and services 
     offered by small businesses concerns (as defined by section 
     3(a) of the Small Business Act (15 U.S.C. 632(a)).
       ``(iv) Proposed actions that can be adopted to reduce the 
     burden and cost of FedRAMP authorizations for agencies.
       ``(B) Collect information and feedback on agency compliance 
     with and implementation of FedRAMP requirements.
       ``(C) Serve as a forum that facilitates communication and 
     collaboration among the FedRAMP stakeholder community.
       ``(3) Duties.--The duties of the Committee include 
     providing advice and recommendations to the Administrator, 
     the FedRAMP Board, and agencies on technical, financial, 
     programmatic, and operational matters regarding secure 
     adoption of cloud computing products and services.
       ``(b) Members.--
       ``(1) Composition.--The Committee shall be comprised of not 
     more than 15 members who are qualified representatives from 
     the public and private sectors, appointed by the 
     Administrator, in consultation with the Director, as follows:
       ``(A) The Administrator or the Administrator's designee, 
     who shall be the Chair of the Committee.
       ``(B) At least 1 representative each from the Cybersecurity 
     and Infrastructure Security Agency and the National Institute 
     of Standards and Technology.
       ``(C) At least 2 officials who serve as the Chief 
     Information Security Officer within an agency, who shall be 
     required to maintain such a position throughout the duration 
     of their service on the Committee.
       ``(D) At least 1 official serving as Chief Procurement 
     Officer (or equivalent) in an agency, who shall be required 
     to maintain such a position throughout the duration of their 
     service on the Committee.
       ``(E) At least 1 individual representing an independent 
     assessment service.
       ``(F) At least 5 representatives from unique businesses 
     that primarily provide cloud computing services or products, 
     including at least 2 representatives from a small business 
     concern (as defined by section 3(a) of the Small Business Act 
     (15 U.S.C. 632(a))).
       ``(G) At least 2 other representatives of the Federal 
     Government as the Administrator determines necessary to 
     provide sufficient balance, insights, or expertise to the 
     Committee.
       ``(2) Deadline for appointment.--Each member of the 
     Committee shall be appointed not later than 90 days after the 
     date of enactment of this section.
       ``(3) Period of appointment; vacancies.--
       ``(A) In general.--Each non-Federal member of the Committee 
     shall be appointed for a term of 3 years, except that the 
     initial terms for members may be staggered 1-, 2-, or 3-year 
     terms to establish a rotation in which one-third of the 
     members are selected each year. Any such member may be 
     appointed for not more than 2 consecutive terms.
       ``(B) Vacancies.--Any vacancy in the Committee shall not 
     affect its powers, but shall be filled in the same manner in 
     which the original appointment was made. Any member appointed 
     to fill a vacancy occurring before the expiration of the term 
     for which the member's predecessor was appointed shall be 
     appointed only for the remainder of that term. A member may 
     serve after the expiration of that member's term until a 
     successor has taken office.
       ``(c) Meetings and Rules of Procedures.--
       ``(1) Meetings.--The Committee shall hold not fewer than 3 
     meetings in a calendar year, at such time and place as 
     determined by the Chair.

[[Page H8139]]

       ``(2) Initial meeting.--Not later than 120 days after the 
     date of enactment of this section, the Committee shall meet 
     and begin the operations of the Committee.
       ``(3) Rules of procedure.--The Committee may establish 
     rules for the conduct of the business of the Committee if 
     such rules are not inconsistent with this section or other 
     applicable law.
       ``(d) Employee Status.--
       ``(1) In general.--A member of the Committee (other than a 
     member who is appointed to the Committee in connection with 
     another Federal appointment) shall not be considered an 
     employee of the Federal Government by reason of any service 
     as such a member, except for the purposes of section 5703 of 
     title 5, relating to travel expenses.
       ``(2) Pay not permitted.--A member of the Committee covered 
     by paragraph (1) may not receive pay by reason of service on 
     the Committee.
       ``(e) Applicability to the Federal Advisory Committee 
     Act.--Section 14 of the Federal Advisory Committee Act (5 
     U.S.C. App.) shall not apply to the Committee.
       ``(f) Detail of Employees.--Any Federal Government employee 
     may be detailed to the Committee without reimbursement from 
     the Committee, and such detailee shall retain the rights, 
     status, and privileges of his or her regular employment 
     without interruption.
       ``(g) Postal Services.--The Committee may use the United 
     States mails in the same manner and under the same conditions 
     as agencies.
       ``(h) Reports.--
       ``(1) Interim reports.--The Committee may submit to the 
     Administrator and Congress interim reports containing such 
     findings, conclusions, and recommendations as have been 
     agreed to by the Committee.
       ``(2) Annual reports.--Not later than 540 days after the 
     date of enactment of this section, and annually thereafter, 
     the Committee shall submit to the Administrator and Congress 
     a report containing such findings, conclusions, and 
     recommendations as have been agreed to by the Committee.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended by adding at the end the following new items:

``3607. Definitions.
``3608. Federal Risk and Authorization Management Program.
``3609. Roles and responsibilities of the General Services 
              Administration.
``3610. FedRAMP Board.
``3611. Independent assessment.
``3612. Declaration of foreign interests.
``3613. Roles and responsibilities of agencies.
``3614. Roles and responsibilities of the Office of Management and 
              Budget.
``3615. Reports to Congress; GAO report.
``3616. Federal Secure Cloud Advisory Committee.''.
       (c) Sunset.--
       (1) In general.--Effective on the date that is 5 years 
     after the date of enactment of this Act, chapter 36 of title 
     44, United States Code, is amended by striking sections 3607 
     through 3616.
       (2) Conforming amendment.--Effective on the date that is 5 
     years after the date of enactment of this Act, the table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended by striking the items relating to sections 3607 
     through 3616.
       (d) Rule of Construction.--Nothing in this section or any 
     amendment made by this section shall be construed as altering 
     or impairing the authorities of the Director of the Office of 
     Management and Budget or the Secretary of Homeland Security 
     under subchapter II of chapter 35 of title 44, United States 
     Code.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Mrs. Carolyn B. Maloney) and the gentleman from Kentucky (Mr. 
Comer) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I ask unanimous 
consent that all Members may have 5 legislative days in which to revise 
and extend their remarks and include extraneous material on the measure 
before us.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself such 
time as I may consume.
  Mr. Speaker, I thank Representative Connolly, the chairman of the 
Subcommittee on Government Operations, and Ranking Member Comer for 
working on this important bipartisan measure.
  A version of this bill passed this House earlier in this Congress. It 
has been improved after receiving technical assistance from the General 
Services Administration and through discussions with the Senate 
Committee on Homeland Security and Governmental Affairs.
  The Federal Risk and Authorization Management Program Authorization 
Act would codify and improve the existing FedRAMP program in the 
General Services Administration.
  First established in 2011, FedRAMP is an important program that 
certifies cloud service providers that wish to offer services and 
products to the Federal Government.
  The FedRAMP certification process outlined in this bill is 
comprehensive, facilitates easier agency adoption, promotes agency 
reuse, and encourages savings.
  The FedRAMP process uses a risk-based approach to ensure the 
reliability of any cloud platform that hosts unclassified government 
data.

                              {time}  1445

  One significant provision of this bill is the Federal Secure Cloud 
Advisory Committee. This committee would be tasked with key 
responsibilities, including providing technical expertise on cloud 
products and services and identifying ways to reduce costs associated 
with FedRAMP certification.
  The Director of the Office of Management and Budget would be required 
to issue regulations on FedRAMP and would ensure that agencies are not 
using cloud service providers without authorization.
  This bill supports a critical effort to keep our Nation's information 
secure in cloud environments. I urge all Members to support this bill 
and reserve the balance of my time.
  Mr. COMER. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, if this bill sounds familiar to Members, there is good 
reason for that. Once again, the House of Representatives is debating a 
bipartisan bill to secure Federal agency use of modern cloud computing 
services.
  However, this time we are doing it as H.R. 8956, the Federal Secure 
Cloud Improvement and Jobs Act. Formerly named the FedRAMP 
Authorization Act, this was the first bill the House passed this 
Congress, as H.R. 21, on January 5, 2021.
  We also passed the same legislation as part of this year's House 
version of the National Defense Authorization Act.
  This is such an important issue that we are here again to send an 
improved bill back to the Senate for final passage.
  Cybersecurity and technology modernization are both vital issues to 
ensure this government runs efficiently, effectively, and safely. We 
need this legislation to address the continued onslaught of 
cyberattacks that have compromised both the private and public sectors' 
critical information systems.
  Cloud computing is an important innovation.
  It allows users to tap into extra resources to meet spikes in demand, 
like what agencies saw when trying to deliver COVID-relief assistance.
  It also allows them to access modernized applications without the 
need for them to also invest in their own data storage equipment.
  While cloud computing is the norm in the private sector, we still 
need to encourage agencies to adopt this technology when it makes 
sense. We also must ensure cloud computing services are secure. That is 
where the Federal Risk and Authorization Management Program comes in.
  FedRAMP, run by the General Services Administration, is the main 
Federal program focused on helping agencies procure secure cloud 
computing systems. It provides a consistent process to ensure agencies 
know a given cloud service meets Federal cybersecurity standards. It 
also provides clarity for vendors, so they understand the requirements 
to ensure their products are secure enough for Federal agency use.
  Shifting to the cloud is more cost effective, allows for better 
citizen services and mission-based solutions, and provides more 
responsive technology capabilities overall. These improved efficiencies 
have led to significant cost savings.
  At the end of fiscal year 2021, the GSA estimated that over the 
FedRAMP program's 10-year lifespan, it had helped agencies avoid $716 
million in individual security review costs. So while agencies are not 
required to buy FedRAMP-approved services, it makes sense to encourage 
them to do so.
  After passing the earlier version, H.R. 21, the Senate also made 
changes that improved the bill we are considering today.

[[Page H8140]]

  Such updates include striking the unnecessary authorization of $20 
million in appropriations and requiring better oversight of the 
industry costs associated with becoming FedRAMP certified. This will 
help ensure both small and large businesses can participate in the 
program.
  In addition, this version also seeks to identify and avoid 
bottlenecks that slow approval. It also takes steps to secure the 
software supply chain from threats by foreign bad actors, the likely 
source of the 2020 SolarWinds attack that targeted numerous private 
sector companies and Federal agencies.
  Codifying this successful program into law is an important step 
towards encouraging Federal agencies to take full advantage of this 
program and all the security benefits it offers.
  Mr. Speaker, I urge my colleagues to support this bill, and I reserve 
the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield 5 minutes 
to the gentleman from Virginia (Mr. Connolly), the distinguished 
chairman of the Subcommittee on Government Operations and sponsor of 
this important bill, H.R. 8956.
  Mr. CONNOLLY. Mr. Speaker, I thank the gentlewoman from New York 
(Mrs. Carolyn B. Maloney), the distinguished chairwoman of the 
committee and my friend, and I thank the gentleman from Kentucky (Mr. 
Comer), the distinguished ranking member and my friend for bringing 
this bill to the floor.
  With respect to Mr. Comer's comments, I just say, ``Hear, hear.'' He 
has succinctly explained both the process and the importance of this 
bill.
  This is the sixth time the House will have passed this bill in some 
form. The Senate has yet to ever consider it on the floor. As Mr. Comer 
indicated, the time has now come for the Senate to accept a bill that 
has been worked out with the Senate in terms of the language so that we 
can get this important piece of Federal IT into law.
  This bill would create a statutory framework for the Federal Risk and 
Authorization Management Program, known as FedRAMP, originally 
established administratively back in 2011. This bill will codify 
FedRAMP and was the very first bill, as Mr. Comer indicated, to pass 
the House in the 117th Congress. It passed, I believe, unanimously.
  If once again passed, this will be, as I said, I believe, the sixth 
time we have considered it here in the House of Representatives.
  FedRAMP is a standardized approach that brings our government in line 
with our increasingly digital world to continually certify and assess 
the security of cloud computing technologies used across the Federal 
Government.
  FedRAMP seeks to reduce the redundancies of Federal cloud migration 
by creating a ``certify once, reuse many times'' model for cloud 
products and services that provide cost-effective, risk-based 
approaches to cloud adoption. FedRAMP saw a 50 percent increase in 
agencies reusing authorized cloud products in 2020.
  This bill codifies FedRAMP and addresses many of the concerns raised 
by government and industry stakeholders in terms of both the time and 
cost associated with certification. The text reduces duplication of 
security assessments and other obstacles to agency adoption of cloud 
products by establishing a presumption of adequacy for cloud 
technologies that have already received FedRAMP certification, so 
companies aren't reinventing the wheel and spending millions of dollars 
they don't need to.
  I support a strong cybersecurity framework that ensures whatever tool 
we use to support the infrastructure of our Federal critical systems is 
safe and secure. Again, referenced by Mr. Comer. However, those who 
have already diligently passed scrupulous security assessments 
shouldn't have to start from scratch, and this bill addresses that.
  For more than 5 years, I have worked with administrations, both 
Democratic and Republican, Members on the other side of the aisle, 
industry stakeholders, and my friends in the U.S. Senate to ensure the 
legislative text makes needed improvements to the FedRAMP program and 
gives the program flexibility to grow and adapt to myriad future 
changes.
  Since the coronavirus pandemic, the demand for cloud services has 
risen by 85 percent. Accordingly, FedRAMP use skyrocketed and enabled 
the government to continue working securely during the government's 
large-scale movement to telework.
  In the first 4 years of FedRAMP, the program had only authorized 20 
cloud service offerings, but by 2021 it had authorized 240. Today, 
there are over 280 cloud service providers to the U.S. Government 
participating in FedRAMP, and about 30 percent of FedRAMP authorized 
CSPs are small businesses. Over 180 agencies participate in FedRAMP and 
have initiated more than 3,000 agency reuses of authorized products.
  Today, the Agency Liaison Program, which provides FedRAMP 
authorization, education, and training currently has 155 liaisons with 
82 different Federal Government departments participating.
  Ultimately, this program strives to have at least one representative 
from each Federal agency tied to the security authorization who can 
communicate to key stakeholders about their agency's internal processes 
as well as FedRAMP requirements.
  The bill supports a critical need to support multistakeholder 
communication and keep our Nation's information secure in cloud 
environments.
  Enabling the efficient and secure procurement of cloud computing 
technology is an important part of Federal IT modernization. Codifying 
FedRAMP into law is very important because right now it exists as an 
orphan only by an executive action.
  I thank the gentleman from Kentucky (Mr. Comer), the ranking member 
of the Oversight and Reform Committee, for being a steadfast partner, 
and I thank our chairwoman for her leadership.
  Mr. COMER. Mr. Speaker, I yield myself the balance of my time to 
close.
  Mr. Speaker, protecting our public's valuable information is 
something we can all agree on. I hope we can continue to do our job and 
work together on improving the Federal Government cybersecurity and 
adoption of modern technology.
  Mr. Speaker, I encourage my colleagues to support this bill, and I 
yield back the balance of my time.
  Mrs. CAROLYN B. MALONEY of New York. Mr. Speaker, I yield myself the 
balance of my time to close.
  Mr. Speaker, I urge passage of H.R. 8956 and yield back the balance 
of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Mrs. Carolyn B. Maloney) that the House 
suspend the rules and pass the bill, H.R. 8956.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. HICE of Georgia. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this motion will be postponed.

                          ____________________