2023 NDAA Makes Notable Changes to FedRAMP Program

iStock photo-illustration

On Dec. 23, President Joe Biden signed the James M. Inhofe National Defense Authorization Act for fiscal year 2023 into law.

One provision of the NDAA likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. government is the FedRAMP Authorization Act, which codifies the Federal Risk and Authorization Management Program by adding certain sections to Chapter 36 of Title 44, United States Code, which addresses the management and promotion of electronic government services.

In 2011, the Office of Management and Budget established FedRAMP to promote the adoption and use of secure cloud services across the government and is described by the FedRAMP Program Management Office as “providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.”

Since 2011, obtaining FedRAMP authorization has become a key step for cloud service providers doing business with the U.S. government, and service providers can receive authorizations at one of three impact levels — low, medium and high — which measure the potential impact to the government’s assets and operations should the cloud service be compromised.

Impact is measured across three security objectives: confidentiality, integrity and availability. To many, FedRAMP has become synonymous with cloud offerings targeted for use by the government, and the codification of the act implements important changes in the FedRAMP program that appear designed to further streamline the processes for adoption and use of cloud services by the government.

There are several key provisions that may be of interest to companies who provide or plan to provide cloud computing services to the government.

First, the act codifies the FedRAMP program within the General Services Administration, which will be required to implement various processes to facilitate administration of the FedRAMP program, including implementing “a process to support agency review, reuse and standardization, where appropriate, of security assessments of cloud computing products and services” and publishing guidance designed to “increase the speed, effectiveness, and transparency of the authorization process.”

Additionally, GSA is required to, in coordination with other stakeholders, “determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products.” It is possible that this requirement may lead to increased scrutiny of foreign-developed software in FedRAMP systems.

Next, the act establishes a FedRAMP board comprising no more than seven senior officials and experts from government agencies with “technical expertise in domains relevant to FedRAMP,” such as cloud computing, cybersecurity, privacy and risk management. The FedRAMP board is charged with providing “input and recommendations” related to the “requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.”

Further, the act establishes a “presumption of adequacy” for cloud computing services that have received FedRAMP authorization.

In addition, the act requires government agencies to confirm whether a cloud computing product or service has already received authorization prior to beginning the authorization process and, to the extent practicable, reuse existing assessments of security controls and materials.

Although the legislation caveats that agencies may still impose their own security requirements where necessary, this statutory presumption may help to reduce costs and effort for FedRAMP providers seeking to sell the same service to multiple government customers.

In addition, the act establishes the Federal Secure Cloud Advisory Committee, which will comprise no more than 15 “qualified representatives” from the government and the private sector, including at least one representative from an “independent assessment service” and at least five representatives from “unique businesses that primarily provide cloud computing services or products,” including at least two representatives from “a small business concern” as defined under the Small Business Act.

The committee is charged with providing advice and recommendations on “technical, financial, programmatic and operational matters regarding secure adoption of cloud computing products and services.”

Lastly, the act requires that any independent assessment service that assists FedRAMP with determining whether to use a cloud service must annually submit to GSA information relating to any foreign interest, foreign influence or foreign control of the service. Assessments services must also certify to the accuracy and completeness of this information and notify GSA within 48 hours of changes in foreign ownership or control.

The legislation, including its codification of key aspects of the existing program, signals not only that FedRAMP is here to stay, but that Congress is taking an increased interest in security oversight, including in the areas of software provenance and foreign influence.

U.S. contractors who provide or plan to provide cloud computing services to the government may wish to continue monitoring developments as the FedRAMP Authorization Act is implemented, including by monitoring guidance published by GSA in the future.

The authors are attorneys in the Washington, D.C., office of Covington and Burling LLP. Robert Huffman and Ryan Burnette also contributed to the article.

Topics: Defense Contracting