Number:        117-1   
Date:             January 28, 2021

House Passes H.R. 21, the
“Federal Risk and Authorization Management Program (FedRAMP)
Authorization Act of 2021”

On January 5, 2021, the House suspended the rules and passed H.R. 21, the Federal Risk and Authorization Management Program (FedRAMP) Authorization Act of 2021, by voice vote. The bill was moved to the Senate for action on January 6. Introduced by Representative Gerald E. Connolly on January 4, the bill would codify FedRAMP.

H.R. 21 includes the following provisions of interest to SSA that would be codified at 44 USC:

Sec. 3607 Federal Risk and Authorization Management Program (FedRAMP)

  • Would establish FedRAMP within the General Services Administration (GSA) and establish the Joint Authorization Board (JAB) and the FedRAMP Program Management Office (PMO) as components of FedRAMP.

Sec. 3608 FedRAMP Program Management Office (PMO)

  • Would require the Administrator of GSA (Administrator) to coordinate a process for the PMO, JAB and agencies to review security assessments of cloud computing products and services.

  • Would require the PMO to:

    • develop templates and other materials to support the Board and agencies in the authorization of cloud computing products and services;
    • the Federal tenant will only grant the covered entity access to such space if it determines that access is consistent with its mission and responsibilities; and
    • establish frameworks for agencies to use authorization packages processed by the PMO and JAB; and
    • establish a centralized and secure repository to collect and share necessary data, including security authorization packages, from the JAB and agencies to enable better sharing and reuse of such packages across agencies.

  • Would require the PMO to establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that minimizes the agency reporting burden.

Sec. 3609 Joint Authorization Board (JAB)

  • Would require the JAB to establish requirements and guidelines for security assessments of cloud computing products and services, consistent with NIST standards, to be used by agencies.

Sec. 3611 Roles and responsibilities of agencies

  • Would require the head of each agency to:

    • create policies to ensure cloud computing products and services used by the agency meet FedRAMP security requirements and submit such polices, no later than 6 months after enactment of this section, to the Director of the Office of Management and Budget (Director) for review and approval;
    • issue agency-specific “authorizations to operate” for cloud computing services ;
    • confirm whether there is a FedRAMP authorization or provisional authorization in the cloud security repository established under 3608 before beginning the award process;
    • use the existing assessments of security controls and materials within the authorization package, to the extent possible, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization or provisional authorization; and
    • provide data and information required to the Director under section 3612 to determine how agencies are meeting metrics as defined by the PMO.

  • Would require the head of each agency to provide to the PMO a copy of the authorization to operate letter required under section 3608.

Sec. 3612 Roles and Responsibilities of the Office of Management and Budget

  • Would require the Director to:

    • issue guidance to ensure that an agency does not operate a Federal Government cloud computing product or service using Government data without an authorization to operate issued by the agency that meets the information security requirements of subchapter II of chapter 35 and the FedRAMP authorization or provisional authorization;
    • ensure agencies are in compliance with any guidance or other requirements issued related to FedRAMP; and
    • review, analyze, and update guidance on the adoption, security, and use of cloud computing services used by agencies.

Sec. 3614 Reports to Congress; GAO Report

  • Would require the Director to submit a report, no later than 12 months after enactment of this section, to the House Committee on Oversight and Reform and the Senate Committee on Homeland Security and Governmental Affairs that includes:

    • the status, efficiency, and effectiveness of the PMO and agencies during the preceding year in supporting the speed, effectiveness, sharing, reuse, and security of authorizations to operate for cloud computing products and services, including progress towards meeting the metrics adopted by the PMO and the JAB;
    • the number and characteristics of authorized cloud computing products and services in use at each agency consistent with guidance provided by the Director in section 3612; and
    • the cost incurred by agencies and cloud service providers related to the issuance of FedRAMP authorizations and provisional authorizations, including information responsive to the GAO report.

  • Would require the Comptroller General of GAO to publish a report, no later than 6 months after the date of the enactment of this section, that includes an assessment of the cost incurred by agencies and cloud service providers related to the issuance of FedRAMP authorizations and provisional authorizations.

Sec. 3615 Federal Secure Cloud Advisory Committee

  • Would establish a Federal Secure Cloud Advisory Committee (Committee) to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services.

  • Would authorize the Committee to secure information directly from any agency to carry out the Committee’s purpose and require the agency, to the extent authorized by law, to furnish such information to the Committee upon request.

  • Would allow any Federal Government employee to be detailed to the Committee without reimbursement from the Committee, and require the detailee to retain the rights of their regular employment without interruption.

Unless stated otherwise, all provisions would be effective upon enactment. The legislation would sunset 10 years after enactment.

________________

1 FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by agencies.
2 As proposed to be defined in 44 USC §3616, “authorization package” means, in general, the information used to determine whether to authorize the operation of an information system.
3 In compliance with title 44, §3554 U.S. Code.
4 Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) does not apply to the Committee.