[Senate Report 117-115]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 383
117th Congress      }                              {            Report
                                 SENATE
 2d Session         }                              {           117-115
_______________________________________________________________________

 
         FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2021

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 3099

               TO AMEND TITLE 44, UNITED STATES CODE, TO
              ESTABLISH THE FEDERAL RISK AND AUTHORIZATION
             MANAGEMENT PROGRAM WITHIN THE GENERAL SERVICES
                 ADMINISTRATION, AND FOR OTHER PURPOSES

		[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                  May 24, 2022.--Ordered to be printed
                  
			        ________


		     U.S. GOVERNMENT PUBLISHING OFFICE

29-010 			    WASHINGTON : 2022                  
                  
                  
                  
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
            Lena C. Chang, Director of Governmental Affairs
         Matthew T. Cornelius, Senior Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
Amanda H. Neely, Minority Director of Governmental Affairs and General 
                                Counsel
                     Laura W. Kilbride, Chief Clerk





                                                     Calendar No. 383
117th Congress      }                              {           Report
                                 SENATE
 2d Session         }                              {          117-115

======================================================================


               FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS 
                              ACT OF 2021

                                _______
                                

                  May 24, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 3099]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 3099) to amend 
title 44, United States Code, to establish the Federal Risk and 
Authorization Management Program within the General Services 
Administration, and for other purposes, having considered the 
same, reports favorably thereon with an amendment (in the 
nature of a substitute) and recommends that the bill, as 
amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
 IV. Section-by-Section Analysis of the Bill, as Reported.............3
  V. Evaluation of Regulatory Impact..................................6
 VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............8

                         I. Purpose and Summary

    S. 3099, the Federal Secure Cloud Improvement and Jobs Act 
of 2021, provides a statutory framework for the Federal Risk 
and Authorization Management Program (FedRAMP) to make the 
program more accountable and transparent and help ensure that 
agencies' processes of moving safely to the cloud are 
streamlined and efficient. As cloud computing technology 
continues its growth in our society and economy, it is 
important that federal agencies quickly, securely, and 
effectively adopt these capabilities to improve digital service 
delivery and protect against malicious foreign threats.
    S. 3099 would codify and reform the FedRAMP program at the 
General Services Administration (GSA) to ensure continuous 
growth in the number of cloud service providers (CSP) securely 
authorized in government, empower greater reuse of CSPs across 
agencies, and strengthen transparency measures to promote 
engagement and consensus recommendations from leaders in both 
industry and government that will accelerate cloud adoption. 
This bill would also ensure that CSPs and independent 
assessment services are protected from foreign threats by 
requiring additional steps to mitigate any malicious activity 
and increase reporting transparency to the government. S. 3099 
also creates new requirements for agencies to affirmatively 
leverage high-quality security authorization packages rather 
than forcing CSPs to perform duplicative and costly work that 
slows agency efforts to modernize their information technology 
(IT).
    Finally, S. 3099 provides for stronger oversight 
authorities of agency cloud computing processes and protocols 
by the Office of Management and Budget (OMB) and creates a 
Federal Secure Cloud Advisory Committee, comprising IT and 
cybersecurity leaders from both industry and the public sector, 
to provide recommendations to the GSA Administrator for 
improving the FedRAMP program and the government's adoption of 
cloud capabilities.

              II. Background and Need for the Legislation

    FedRAMP is a government-wide program at GSA, established 
pursuant to a memorandum issued to all agencies by OMB in 
2011.\1\ FedRAMP provides a standardized approach to security 
assessment, authorization, and continuous monitoring for cloud 
products and services. FedRAMP's goals are to:
---------------------------------------------------------------------------
    \1\Federal Risk and Authorization Management Program (FedRAMP), 
Home Page (www.fedramp.gov) (accessed January 3, 2022) (hereinafter 
``FedRAMP Website''); Office of Management and Budget, Memorandum from 
Steven Van Roekel to Chief Information Officers, Security Authorization 
for Information Systems in Cloud Computing Environments (Dec. 8, 2011).
---------------------------------------------------------------------------
           Accelerate the adoption of secure cloud 
        solutions through reuse of assessments and 
        authorizations;
           Achieve consistent security authorizations 
        using a baseline set of agreed-upon standards for cloud 
        product approval; and
           Ensure consistent application of existing 
        security practices.
    As of today, there are 260 authorized CSPs, 67 CSPs in the 
process of receiving authorizations, and an additional 32 CSPs 
deemed ready by independent third party assessment 
organizations (3PAO).\2\ Of the 240 CSPs already authorized, 
agencies have reused them over 2,700 times. Reuse of authorized 
CSPs has the potential to reduce time, cost, and burden to both 
agencies and industry partners.
---------------------------------------------------------------------------
    \2\FedRAMP Website at Home Page.
---------------------------------------------------------------------------
    While GSA has made substantial improvements in the 
operations, management, and execution of the FedRAMP program, 
creating a strong legislative foundation that addresses both 
the current challenges and future opportunities for secure 
cloud adoption in the federal government is vital to our 
national security interests and to our government's ability to 
more effectively deliver critical programs. To date, GSA has 
managed the FedRAMP program as one of many government-wide 
programs and services funded by the Federal Citizen Services 
Fund.\3\ S. 3099 addresses key challenges surrounding secure 
cloud adoption in government by reducing costs, improving the 
speed of cloud adoption, promoting greater competition, 
enhancing the ability of the government to mitigate malicious 
threats of foreign control or influence of CSPs or independent 
assessment services, and bringing needed transparency to the 
cloud authorization, adoption, and reuse policies and processes 
for federal agencies. With the increase in both oversight and 
operational authorities for the FedRAMP program proposed in S. 
3099, it is important that the program receive sufficient 
funding in the coming years to sufficiently address these new 
requirements.
---------------------------------------------------------------------------
    \3\General Services Administration Fiscal Year 2022 Budget 
Justification (https://www.gsa.gov/cdnstatic/
20_FY_2022_CJ_Full_GSA_Narrative_v2_optimized.pdf) (accessed May 2, 
2022).
---------------------------------------------------------------------------

                        III. Legislative History

    Chairman Gary Peters (D-MI) introduced S. 3099 on October 
28, 2021, with Senators Hawley (R-MO), Hassan (D-NH), and 
Daines (R-MT) as cosponsors. The bill was referred to the 
Senate Committee on Homeland Security and Governmental Affairs.
    The Committee considered S. 3099 at a business meeting on 
December 15, 2021. During the business meeting, Chairman 
Peters, along with Senators Hawley, Hassan, and Portman (R-OH) 
offered a modified substitute amendment to S. 3099, which was 
adopted by unanimous consent. The modified substitute amendment 
removed a section that authorized appropriations for GSA to 
administer the FedRAMP program. Senator Ossoff (D-GA) offered 
an amendment, as modified, to the substitute, as modified, 
which was adopted by voice vote. The Ossoff amendment extended 
some of the regular reporting requirements for the FedRAMP 
program to include issues such as supply chain security and 
foreign threats around cloud service providers. S. 3099 was 
ordered reported favorably by voice vote as amended by the 
Peters-Hawley-Hassan-Portman substitute amendment as modified 
and the Ossoff amendment as modified. Senators present for the 
vote were: Peters, Carper, Hassan, Sinema, Rosen, Ossoff, 
Portman, Lankford, Romney, Scott, and Hawley.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section designates the name of the bill as the 
``Federal Secure Cloud Improvement and Jobs Act of 2021.''

Section 2. Findings

    This section identifies congressional findings that the 
secure adoption of cloud technologies by federal agencies 
expedites the modernization of legacy information technologies, 
improves cybersecurity, and supports United States leadership 
in technology innovation. The section also finds that improving 
the adoption of cloud technologies has been a priority for 
multiple Administrations and Congresses and that the continued 
expansion of new and emerging cloud technologies supports the 
American economy and creates American jobs. Finally, the 
section finds that the Federal Risk Authorization and 
Management Program (FedRAMP) has been effective in supporting 
the secure adoption of cloud technologies by Federal agencies, 
but that legislative reforms are needed to improve management 
of the program and to ensure that agencies can more quickly, 
securely, and effectively leverage cloud technologies while 
reducing costs for both industry and taxpayers.

Section 3. Title 44 amendments

    Subsection (a) amends Chapter 36 of Title 44 and creates 
the following new sections:
    Section 3607 defines ``Administrator,'' ``appropriate 
congressional committees,'' ``authorization to operate/federal 
information,'' ``cloud computing,'' ``cloud service provider,'' 
``FedRAMP,'' ``FedRAMP authorization,'' ``FedRAMP authorization 
package,'' ``FedRAMP board,'' ``independent assessment 
service,'' and ``Secretary.''
    This section also stipulates that the definitions in 
Chapters 3502 and 3552 of Title 44 apply to the newly created 
Sections 3607 through 3616 of that title.
    Section 3608 establishes the Federal Authorization Risk and 
Management Program (FedRAMP) in the General Services 
Administration (GSA).
    Section 3609 provides the roles and responsibilities of the 
GSA Administrator. The section requires that the Administrator 
establish criteria, in coordination with the Director of the 
Office of Management and Budget (OMB) to define the types of 
cloud service providers (CSPs) that are eligible for FedRAMP 
certification and to coordinate with the Secretary to implement 
a process for agencies to review, certify, and assess the 
security of authorization package for CSPs.
    The section provides additional authorities to the 
Administrator, including to: support the management of the 
Federal Secure Cloud Advisory Committee (created in Section 
3616 of the legislation); grant authorization for CSPs 
consistent with oversight by the FedRAMP Board; provide for a 
public comment process for all guidance issued by GSA for the 
FedRAMP program; provide a secure repository to collect all CSP 
security packages authorized by GSA or federal agencies; 
coordinate with the Director of the Cybersecurity and 
Infrastructure Security Agency (CISA) to ensure appropriate 
continuous monitoring for all authorized CSPs; and regularly 
review costs associated with the use of independent assessment 
services (created in Section 3611 of the legislation) and 
information related for foreign interests (created in Section 
3612).
    Lastly, the section requires the Administrator to maintain 
a centralized website for all FedRAMP information, guidance, 
determinations, and other materials relevant to Section 3609 
and to establish metrics and measures for the automation of CSP 
authorizations, including reporting annually to Congress on the 
effectives of such metrics and measures.
    Section 3610 establishes the FedRAMP Board, made up of 7 
subject matter experts from across the Federal government, to 
help oversee the processes and procedures by which agencies 
authorize CSPs and provide recommendations for improving the 
outcomes of the FedRAMP Program. This section also defines the 
qualifications for serving on the Board and establishes their 
duties, including regularly establishing and updating 
requirements and guidelines for security authorizations of CSPs 
and monitoring and overseeing processes and procedures by which 
agencies determine and validate requirements for a FedRAMP 
authorization. Finally, this section requires the Board to 
consult with the Federal Chief Information Officers Council to 
prioritize and accept CSPs for a FedRAMP authorization.
    Section 3611 allows the Administrator to use independent 
assessment services to analyze, validate, and attest to the 
quality and compliance of CSP security materials during the 
course of an authorization.
    Section 3612 requires that any independent assessment 
service used by the Administrator annually submit information 
to the Administrator regarding foreign ownership, influence, or 
control. This section also requires that any independent 
assessment service in use by the Administrator shall report any 
changes relating to foreign ownership, influence, or control to 
the Administrator not later than 48 hours after any such change 
has occurred and that the Administrator then certify any 
information provided by the independent assessment service.
    Section 3613 establishes requirements for all agencies that 
authorize CSPs, pursuant to guidance issued by the OMB 
Director. In particular, this section requires agencies to 
first determine whether a security package already exists for 
any CSP which the agency seeks to authorize and, if so, use the 
already existing security package information and materials, to 
the greatest extent practicable, to authorize the CSP for use 
in that agency. This section requires all agencies who review 
the security package materials for any currently authorized 
CSPs to attest to the Director if the security package, or any 
materials or information therein, are wholly or substantially 
deficient for their purposes. This section requires all 
agencies that authorize CSPs to provide their particular 
security package information to the Administrator and, within 
180 days of enactment, provide the Director all agency policies 
relating to the authorization of CSPs.
    Lastly, this section creates a ``presumption of adequacy'' 
which says that all assessment of security controls and 
materials in any FedRAMP authorization shall be presumed 
adequate for use at any agency. The section also provides that 
the presumption of adequacy does not modify or alter agency 
responsibilities of the requirements of Subchapter II of 
Chapter 35, nor does it preclude an agency from requiring 
additional security requirements for any FedRAMP authorization.
    Section 3614 creates authorities for the OMB Director, 
including the requirement that the Director consult with the 
Administrator and the Secretary when issuing guidance on 
specific categories and characteristics of CSPs that are within 
the scope of FedRAMP and requirements for agencies to obtain a 
FedRAMP authorization for all CSPs that are defined as federal 
information systems. This section also requires the Director to 
issue guidance describing additional authorities of the 
Administrator and FedRAMP Board to accelerate the secure 
adoption of CSPs in government, establish a process to 
regularly review all CSP authorizations in coordination with 
the Administrator, and to the greatest extent practicable, 
promote consistency of the assessment, authorization, adoption, 
and use of secure cloud computing products and services within 
and across agencies.
    Section 3615 establishes annual reporting requirements by 
the Administration to Congress and requires a report by the 
Government Accountability Office (GAO).
    Section 3616 creates the Federal Secure Cloud Advisory 
Committee (Committee) to ensure effective and ongoing 
coordination of agency adoption, use, authorization, 
monitoring, acquisition, and security of CSPs to enable agency 
mission and administrative priorities. The section establishes 
purposes for the Committee including examining how GSA and 
agencies can continuously improve their assessment and 
authorizations of CSPs, collect information and feedback on 
agency compliance with and implementation of FedRAMP 
requirements, and to serve as a forum to ensure collaboration 
and communication among the various FedRAMP stakeholders.
    The section authorizes the Committee to be no more than 15 
members comprising: the Administrator (who serves as Chair); at 
least 1 representative each from CISA and the National 
Institute of Standards and Technology; at least 2 officials who 
serve as Chief Information Security Officers (or equivalent) at 
an agency; at least 1 official who serves as Chief Procurement 
Officer (or equivalent) at an agency; at least 1 representative 
from an independent assessment service; and at least 5 
representatives from industry stakeholders including at least 2 
representatives designated as small businesses. The section 
defines requirements for Committee meetings and rules of 
procedures, employment status of representatives, the use of 
postal services by or the detail of federal employees to the 
Committee, and requirements for interim and annual reports. 
Lastly, this section requires the Committee be subject to the 
Federal Advisory Commission Act (5. U.S.C. App) except for 
Section 14 thereof.
    Subsection (b) provides a technical and conforming 
amendment that establishes titles for the new sections created 
in Chapter 36 of Title 44.
    Subsection (c) provides for a five year sunset to the Act 
and all amendments made pursuant to its passage.
    Subsection (d) provides a rule of construction to stipulate 
that none of the amendments in this Act otherwise alter of 
impair the authorities of the OMB or the Secretary of the 
Department of Homeland Security provided under Subchapter II of 
Chapter 35 of Title 44.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, March 24, 2022.
Hon. Gary Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 3099, the Federal 
Secure Cloud Improvement and Jobs Act of 2021.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.

    Enclosure.

    	[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    S. 3099 would codify and expand the responsibilities of the 
Federal Risk and Authorization Management Program (FedRAMP) 
within the General Services Administration (GSA). The bill 
would establish a standardized approach to acquiring and using 
security assessment and cloud-computing products and services. 
The bill also would establish the Federal Secure Cloud Advisory 
Committee to examine how the assessment and selection processes 
could be improved.
    FedRAMP is currently part of GSA's Federal Citizens 
Services Fund which provides funds to federal agencies to build 
capacity for conducting activities electronically. The fund 
received $55 million in 2021. Using information from GSA 
regarding the FedRAMP program as well as the cost of other 
advisory committees, CBO estimates that implementing S. 3099 
would cost about $50 million over the 2022-2026 period, 
assuming appropriation of the estimated amounts. CBO estimates 
that most of that cost would be to automate security 
assessments and to adopt new oversight procedures required 
under the bill. There would be small costs each year to 
establish and operate the advisory committee.
    The costs of the legislation (detailed in Table 1) fall 
within budget function 800 (general government). CBO expects 
that the bill will be enacted late in fiscal year 2022 and thus 
any costs in that year would be insignificant.

                TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 3099
----------------------------------------------------------------------------------------------------------------
                                                                   By fiscal year, millions of dollars--
                                                         -------------------------------------------------------
                                                            2022     2023     2024     2025     2026   2022-2026
----------------------------------------------------------------------------------------------------------------
Estimated Authorization.................................        *       11       13       14       15        53
Estimated Outlays.......................................        *        8       13       14       15        50
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.

    The CBO staff contacts for this estimate are Matthew 
Pickford and Aldo Prosperi. The estimate was reviewed by H. 
Samuel Papenfuss, Deputy Director of Budget Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 44--PUBLIC PRINTING AND DOCUMENTS

           *       *       *       *       *       *       *


CHAPTER 36--MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES

           *       *       *       *       *       *       *



SEC. 3607. DEFINITIONS

    (a) In General.--Except as provided under subsection (b), 
the definitions under sections 3502 and 3552 apply to this 
section through section 3616.
    (b) Additional Definitions.--In this section through 
section 3616:
          (1) Cloud computing.--The term `cloud computing' has 
        the meaning given the term in Special Publication 800-
        145 of the National Institute of Standards and 
        Technology.
          (2) Cloud service provider.--The term `cloud service 
        provider' means an entity offering cloud computing 
        products or services to agencies.
          (3) FedRAMP.--The term `FedRAMP' means the Federal 
        Risk and Authorization Management Program established 
        under section 3608.
          (4) FedRAMP authorization.--The term `FedRAMP 
        authorization' means a certification that a cloud 
        computing product or service has--
                  (A) completed a FedRAMP authorization 
                process, as determined by the Administrator of 
                General Services; or
                  (B) received a FedRAMP provisional 
                authorization to operate, as determined by the 
                FedRAMP Board.
          (5) FedRAMP authorization package.--The term `FedRAMP 
        authorization package' means the essential information 
        that can be used by an agency to determine whether to 
        authorize the operation of an information system or the 
        use of a designated set of common controls for all 
        cloud computing products and services authorized by 
        FedRAMP.
          (6) FedRAMP board.--The term `FedRAMP Board' means 
        the board established under section 3610.
          (7) Independent assessment organization.--The term 
        `independent assessment organization' means a third-
        party organization accredited by the Administrator of 
        General Services to undertake conformity assessments of 
        cloud service providers and their products or services.
          (8) Secretary.--The term `Secretary' means the 
        Secretary of Homeland Security.

SEC. 3608. FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM

    There is established within the General Services 
Administration the Federal Risk and Authorization Management 
Program. The Administrator, subject to section 3614, shall 
establish a Government-wide program that provides a 
standardized, reusable approach to security assessment and 
authorization for cloud computing products and services that 
process unclassified information used by agencies.

SEC. 3609. ROLES AND RESPONSIBILITIES OF THE GENERAL SERVICES 
                    ADMINISTRATION

    (a) Roles and Responsibilities.--The Administrator shall--
          (1) in consultation with the Secretary, develop, 
        coordinate, and implement a process to support agency 
        review, reuse, and standardization, where appropriate, 
        of security assessments of cloud computing products and 
        services, including, as appropriate, oversight of 
        continuous monitoring of cloud computing products and 
        services, pursuant to guidance issued by the Director 
        pursuant to section 3614;
          (2) establish processes and identify criteria 
        consistent with guidance issued by the Director under 
        section 3614 to make a cloud computing product or 
        service eligible for a FedRAMP authorization and 
        validate whether a cloud computing product or service 
        has a FedRAMP authorization;
          (3) develop and publish templates, best practices, 
        technical assistance, and other materials to support 
        the authorization of cloud computing products and 
        services and increase the speed, effectiveness, and 
        transparency of the authorization process, consistent 
        with standards and guidelines established by the 
        Director of the National Institute of Standards and 
        Technology and relevant statutes;
          (4) establish and update guidance on the boundaries 
        of FedRAMP authorization packages to enhance the 
        security and protection of Federal information and 
        promote transparency for agencies and users as to which 
        services are included in the scope of a FedRAMP 
        authorization;
          (5) grant FedRAMP authorizations to cloud computing 
        products and services consistent with the guidance and 
        direction of the FedRAMP Board;
          (6) establish and maintain a public comment process 
        for proposed guidance and other FedRAMP directives that 
        may have a direct impact on cloud service providers and 
        agencies before the issuance of such guidance or other 
        FedRAMP directives;
          (7) coordinate with the FedRAMP Board, the Director 
        of the Cybersecurity and Infrastructure Security 
        Agency, and other entities identified by the 
        Administrator, with the concurrence of the Director and 
        the Secretary, to establish and regularly update a 
        framework for continuous monitoring under section 3553;
          (8) provide a secure mechanism for storing and 
        sharing necessary data, including FedRAMP authorization 
        packages, to enable better reuse of such packages 
        across agencies, including making available any 
        information and data necessary for agencies to fulfill 
        the requirements of section 3613;
          (9) provide regular updates to applicant cloud 
        service providers on the status of any cloud computing 
        product or service during an assessment process;
          (10) regularly review, in consultation with the 
        FedRAMP Board--
                  (A) the costs associated with the independent 
                assessment services described in section 3611; 
                and
                  (B) the information relating to foreign 
                interests submitted pursuant to section 3612;
          (11) in coordination with the Director of the 
        National Institute of Standards and Technology, the 
        Director, the Secretary, and other stakeholders, as 
        appropriate, determine the sufficiency of underlying 
        standards and requirements to identify and assess the 
        provenance of the software in cloud services and 
        products;
          (12) support the Federal Secure Cloud Advisory 
        Committee established pursuant to section 3616; and
          (13) take such other actions as the Administrator may 
        determine necessary to carry out FedRAMP.
    (b) Website.--
          (1) In general.--The Administrator shall maintain a 
        public website to serve as the authoritative repository 
        for FedRAMP, including the timely publication and 
        updates for all relevant information, guidance, 
        determinations, and other materials required under 
        subsection (a).
          (2) Criteria and process for FedRAMP authorization 
        priorities.--The Administrator shall develop and make 
        publicly available on the website described in 
        paragraph (1) the criteria and process for prioritizing 
        and selecting cloud computing products and services 
        that will receive a FedRAMP authorization, in 
        consultation with the FedRAMP Board and the Chief 
        Information Officers Council.
    (c) Evaluation of Automation Procedures.--
          (1) In general.--The Administrator, in coordination 
        with the Secretary, shall assess and evaluate available 
        automation capabilities and procedures to improve the 
        efficiency and effectiveness of the issuance of FedRAMP 
        authorizations, including continuous monitoring of 
        cloud computing products and services.
          (2) Means for automation.--Not later than 1 year 
        after the date of enactment of this section, and 
        updated regularly thereafter, the Administrator shall 
        establish a means for the automation of security 
        assessments and reviews.
    (d) Metrics for Authorization.--The Administrator shall 
establish annual metrics regarding the time and quality of the 
assessments necessary for completion of a FedRAMP 
authorizationprocess in a manner that can be consistently tracked over 
time in conjunction with the periodic testing and evaluation process 
pursuant to section 3554 in a manner that minimizes the agency 
reporting burden.

SEC. 3610. FEDRAMP BOARD

    (a) Establishment.--There is established a FedRAMP Board to 
provide input and recommendations to the Administrator 
regarding the requirements and guidelines for, and the 
prioritization of, security assessments of cloud computing 
products and services.
    (b) Membership.--The FedRAMP Board shall consist of not 
more than 7 senior officials or experts from agencies appointed 
by the Director, in consultation with the Administrator, from 
each of the following:
          (1) The Department of Defense.
          (2) The Department of Homeland Security.
          (3) The General Services Administration.
          (4) Such other agencies as determined by the 
        Director, in consultation with the Administrator.
    (c) Qualifications.--Members of the FedRAMP Board appointed 
under subsection (b) shall have technical expertise in domains 
relevant to FedRAMP, such as--
          (1) cloud computing;
          (2) cybersecurity;
          (3) privacy;
          (4) risk management; and
          (5) other competencies identified by the Director to 
        support the secure authorization of cloud services and 
        products.
    (d) Duties.--The FedRAMP Board shall--
          (1) in consultation with the Administrator, serve as 
        a resource for best practices to accelerate the process 
        for obtaining a FedRAMP authorization;
          (2) establish and regularly update requirements and 
        guidelines for security authorizations of cloud 
        computing products and services, consistent with 
        standards and guidelines established by the Director of 
        the National Institute of Standards and Technology, to 
        be used in the determination of FedRAMP authorizations;
          (3) monitor and oversee, to the greatest extent 
        practicable, the processes and procedures by which 
        agencies determine and validate requirements for a 
        FedRAMP authorization, including periodic review of the 
        agency determinations described in section 3613(b);
          (4) ensure consistency and transparency between 
        agencies and cloud service providers in a manner that 
        minimizes confusion and engenders trust; and
          (5) perform such other roles and responsibilities as 
        the Director may assign, with concurrence from the 
        Administrator.
    (e) Determinations of Demand for Cloud Computing Products 
and Services.--The FedRAMP Board may consult with the Chief 
Information Officers Council to establish a process, which may 
be made available on the website maintained under section 
3609(b), for prioritizing and accepting the cloud computing 
products and services to be granted a FedRAMP authorization.

SEC. 3611. INDEPENDENCE ASSESSMENT

    The Administrator may determine whether FedRAMP may use an 
independent assessment service to analyze, validate, and attest 
to the quality and compliance of security assessment materials 
provided by cloud service providers during the course of a 
determination of whether to use a cloud computing product or 
service.

SEC. 3612. DECLARATION OF FOREIGN INTERESTS

    (a) In General.--An independent assessment service that 
performs services described in section 3611 shall annually 
submit to the Administrator information relating to any foreign 
interest, foreign influence, or foreign control of the 
independent assessment service.
    (b) Updates.--Not later than 48 hours after there is a 
change in foreign ownership or control of an independent 
assessment service that performs services described in section 
3611, the independent assessment service shall submit to the 
Administrator an update to the information submitted under 
subsection (a).
    (c) Certification.--The Administrator may require a 
representative of an independent assessment service to certify 
the accuracy and completeness of any information submitted 
under this section.

SEC. 3613. ROLES AND RESPONSIBILITES OF AGENCIES.

    (a) In General.--In implementing the requirements of 
FedRAMP, the head of each agency shall, consistent with 
guidance issued by the Director pursuant to section 3614--
          (1) promote the use of cloud computing products and 
        services that meet FedRAMP security requirements and 
        other risk-based performance requirements as determined 
        by the Director, in consultation with the Secretary;
          (2) confirm whether there is a FedRAMP authorization 
        in the secure mechanism provided under section 
        3609(a)(8) before beginning the process of granting a 
        FedRAMP authorization for a cloud computing product or 
        service;
          (3) to the extent practicable, for any cloud 
        computing product or service the agency seeks to 
        authorize that has received a FedRAMP authorization, 
        use the existing assessments of security controls and 
        materials within any FedRAMP authorization package for 
        that cloud computing product or service; and
          (4) provide to the Director data and information 
        required by the Director pursuant to section 3614 to 
        determine how agencies are meeting metrics established 
        by the Administrator.
    (b) Attestation.--Upon completing an assessment or 
authorization activity with respect to a particular cloud 
computing product or service, if an agency determines that the 
information and data the agency has reviewed under paragraph 
(2) or (3) of subsection (a) is wholly or substantially 
deficient for the purposes of performing an authorization of 
the cloud computing product or service, the head of the agency 
shall document as part of the resulting FedRAMP authorization 
package the reasons for this determination.
    (c) Submission of Authorizations To Operate Required.--Upon 
issuance of an agency authorization to operate based on a 
FedRAMP authorization, the head of the agency shall provide a 
copy of its authorization to operate letter and any 
supplementary information required pursuant to section 3609(a) 
to the Administrator.
    (d) Submission of Policies Required.--Not later than 180 
days after the date on which the Director issues guidance in 
accordance with section 3614(1), the head of each agency, 
acting through the chief information officer of the agency, 
shall submit to the Director all agency policies relating to 
the authorization of cloud computing products and services.
    (e) Presumption of Adequacy.--
          (1) In general.--The assessment of security controls 
        and materials within the authorization package for a 
        FedRAMP authorization shall be presumed adequate for 
        use in an agency authorization to operate cloud 
        computing products and services.
          (2) Information security requirements.--The 
        presumption under paragraph (1) does not modify or 
        alter--
                  (A) the responsibility of any agency to 
                ensure compliance with subchapter II of chapter 
                35 for any cloud computing product or service 
                used by the agency; or
                  (B) the authority of the head of any agency 
                to make a determination that there is a 
                demonstrable need for additional security 
                requirements beyond the security requirements 
                included in a FedRAMP authorization for a 
                particular control implementation.

SEC. 3614. ROLES AND RESPONSIBILITIES OF THE OFFICE OF MANAGEMENT AND 
                    BUDGET

    The Director shall--
          (1) in consultation with the Administrator and the 
        Secretary, issue guidance that--
                  (A) specifies the categories or 
                characteristics of cloud computing products and 
                services that are within the scope of FedRAMP;
                  (B) includes requirements for agencies to 
                obtain a FedRAMP authorization when operating a 
                cloud computing product or service described in 
                subparagraph (A) as a Federal information 
                system; and
                  (C) encompasses, to the greatest extent 
                practicable, all necessary and appropriate 
                cloud computing products and services;
          (2) issue guidance describing additional 
        responsibilities of FedRAMP and the FedRAMP Board to 
        accelerate the adoption of secure cloud computing 
        products and services by the Federal Government;
          (3) in consultation with the Administrator, establish 
        a process to periodically review FedRAMP authorization 
        packages to support the secure authorization and reuse 
        of secure cloud products and services;
          (4) oversee the effectiveness of FedRAMP and the 
        FedRAMP Board, including the compliance by the FedRAMP 
        Board with the duties described in section 3610(d); and
          (5) to the greatest extent practicable, encourage and 
        promote consistency of theassessment, authorization, 
adoption, and use of secure cloud computing products and services 
within and across agencies.

SEC. 3615. REPORTS TO CONGRESS; GAO REPORT

    (a) Reports to Congress.--Not later than 1 year after the 
date of enactment of this section, and annually thereafter, the 
Director shall submit to the appropriate congressional 
committees a report that includes the following:
          (1) During the preceding year, the status, 
        efficiency, and effectiveness of the General Services 
        Administration under section 3609 and agencies under 
        section 3613 and in supporting the speed, 
        effectiveness, sharing, reuse, and security of 
        authorizations to operate for secure cloud computing 
        products and services.
          (2) Progress towards meeting the metrics required 
        under section 3609(d).
          (3) Data on FedRAMP authorizations.
          (4) The average length of time to issue FedRAMP 
        authorizations.
          (5) The number of FedRAMP authorizations submitted, 
        issued, and denied for the preceding year.
          (6) A review of progress made during the preceding 
        year in advancing automation techniques to securely 
        automate FedRAMP processes and to accelerate reporting 
        under this section.
          (7) The number and characteristics of authorized 
        cloud computing products and services in use at each 
        agency consistent with guidance provided by the 
        Director under section 3614.
          (8) A review of FedRAMP measures to ensure the 
        security of data stored or processed by cloud service 
        providers, which may include--
                  (A) geolocation restrictions for provided 
                products or services;
                  (B) disclosures of foreign elements of supply 
                chains of acquired products or services;
                  (C) continued disclosures of ownership of 
                cloud service providers by foreign entities; 
                and
                  (D) encryption for data processed, stored, or 
                transmitted by cloud service providers.
    (b) GAO Report.--Not later than 180 days after the date of 
enactment of this section, the Comptroller General of the 
United States shall report to the appropriate congressional 
committees an assessment of the following:
          (1) The costs incurred by agencies and cloud service 
        providers relating to the issuance of FedRAMP 
        authorizations.
          (2) The extent to which agencies have processes in 
        place to continuously monitor the implementation of 
        cloud computing products and services operating as 
        Federal information systems.
          (3) How often and for which categories of products 
        and services agencies use FedRAMP authorizations.
          (4) The unique costs and potential burdens incurred 
        by cloud computing companies that are small business 
        concerns (as defined in section 3(a) of the Small 
        Business Act (15 U.S.C. 632(a)) as a part of the 
        FedRAMP authorization process.

SEC. 3616. FEDERAL SECURE CLOUD ADVISORY COMMITTEE

    (a) Establishment, Purposes, and Duties.--
          (1) Establishment.--There is established a Federal 
        Secure Cloud Advisory Committee (referred to in this 
        section as the `Committee') to ensure effective and 
        ongoing coordination of agency adoption, use, 
        authorization, monitoring, acquisition, and security of 
        cloud computing products and services to enable agency 
        mission and administrative priorities.
          (2) Purposes.--The purposes of the Committee are the 
        following:
                  (A) To examine the operations of FedRAMP and 
                determine ways that authorization processes can 
                continuously be improved, including the 
                following:
                          (i) Measures to increase agency reuse 
                        of FedRAMP authorizations.
                          (ii) Proposed actions that can be 
                        adopted to reduce the burden, 
                        confusion, and cost associated with 
                        FedRAMP authorizations for cloud 
                        service providers.
                          (iii) Measures to increase the number 
                        of FedRAMP authorizations for cloud 
                        computing products and services offered 
                        by small businesses concerns (as 
                        defined by section 3(a) of the Small 
                        Business Act (15 U.S.C. 632(a)).
                          (iv) Proposed actions that can be 
                        adopted to reduce the burden and cost 
                        of FedRAMP authorizations for agencies.
                  (B) Collect information and feedback on 
                agency compliance with and implementation of 
                FedRAMP requirements.
                  (C) Serve as a forum that facilitates 
                communication and collaboration among the 
                FedRAMP stakeholder community.
          (3) Duties.--The duties of the Committee include 
        providing advice and recommendations to the 
        Administrator, the FedRAMP Board, and agencies on 
        technical, financial, programmatic, and operational 
        matters regarding secure adoption of cloud computing 
        products and services.
    (b) Members.--
          (1) Composition.--The Committee shall be comprised of 
        not more than 15 members who are qualified 
        representatives from the public and private sectors, 
        appointed by the Administrator, in consultation with 
        the Director, as follows:
                  (A) The Administrator or the Administrator's 
                designee, who shall be the Chair of the 
                Committee.
                  (B) At least 1 representative each from the 
                Cybersecurity and Infrastructure Security 
                Agency and the National Institute of Standards 
                and Technology.
                  (C) At least 2 officials who serve as the 
                Chief Information Security Officer within an 
                agency, who shall be required to maintain such 
                a position throughout the duration of their 
                service on the Committee.
                  (D) At least 1 official serving as Chief 
                Procurement Officer (or equivalent) in an 
                agency, who shall be required to maintain such 
                a position throughout the duration of their 
                service on the Committee.
                  (E) At least 1 individual representing an 
                independent assessment service.
                  (F) At least 5 representatives from unique 
                businesses that primarily provide cloud 
                computing services or products, including at 
                least 2 representatives from a small business 
                concern (as defined by section 3(a) of the 
                Small Business Act (15 U.S.C. 632(a))).
                  (G) At least 2 other representatives of the 
                Federal Government as the Administrator 
                determines necessary to provide sufficient 
                balance, insights, or expertise to the 
                Committee.
          (2) Deadline for appointment.--Each member of the 
        Committee shall be appointed not later than 90 days 
        after the date of enactment of this section.
          (3) Period of appointment; vacancies.--
                  (A) In general.--Each non-Federal member of 
                the Committee shall be appointed for a term of 
                3 years, except that the initial terms for 
                members may be staggered 1-, 2-, or 3-year 
                terms to establish a rotation in which one-
                third of the members are selected each year. 
                Any such member may be appointed for not more 
                than 2 consecutive terms.
                  (B) Vacancies.--Any vacancy in the Committee 
                shall not affect its powers, but shall be 
                filled in the same manner in which the original 
                appointment was made. Any member appointed to 
                fill a vacancy occurring before the expiration 
                of the term for which the member's predecessor 
                was appointed shall be appointed only for the 
                remainder of that term. A member may serve 
                after the expiration of that member's term 
                until a successor has taken office.
    (c) Meetings and Rules of Procedures.--
          (1) Meetings.--The Committee shall hold not fewer 
        than 3 meetings in a calendar year, at such time and 
        place as determined by the Chair.
          (2) Initial meeting.--Not later than 120 days after 
        the date of enactment of this section, the Committee 
        shall meet and begin the operations of the Committee.
          (3) Rules of procedure.--The Committee may establish 
        rules for the conduct of the business of the Committee 
        if such rules are not inconsistent with this section or 
        other applicable law.
    (d) Employee Status.--
          (1) In general.--A member of the Committee (other 
        than a member who is appointed to the Committee in 
        connection with another Federal appointment) shall not 
        be considered an employee of the Federal Government by 
        reason of any service as such a member, except for the 
        purposes of section 5703 of title 5, relating to travel 
        expenses.
          (2) Pay not permitted.--A member of the Committee 
        covered by paragraph (1) may not receive pay by reason 
        of service on the Committee.
    (e) Applicability to the Federal Advisory Committee Act.--
Section 14 of the Federal Advisory Committee Act (5 U.S.C. 
App.) shall not apply to the Committee.
    (f) Detail of Employees.--Any Federal Government employee 
may be detailed to the Committee without reimbursement from the 
Committee, and such detailee shall retain the rights, status, 
and privileges of his or her regular employment without 
interruption.
    (g) Postal Services.--The Committee may use the United 
States mails in the same manner and under the same conditions 
as agencies.
    (h) Reports.--
          (1) Interim reports.--The Committee may submit to the 
        Administrator and Congress interim reports containing 
        such findings, conclusions, and recommendations as have 
        been agreed to by the Committee.
          (2) Annual reports.--Not later than 540 days after 
        the date of enactment of this section, and annually 
        thereafter, the Committee shall submit to the 
        Administrator and Congress a report containing such 
        findings, conclusions, and recommendations as have been 
        agreed to by the Committee.

                                  [all]