2023 NDAA Makes Notable Changes to FedRAMP Program

GOVERNMENT CONTRACTING INSIGHTS DEFENSE CONTRACTING

2023 NDAA Makes Notable Changes to FedRAMP Program

3/1/2023
By Susan Cassidy, Moriah Daugherty and Ashden Fein

iStock photo-illustration

On Dec. 23, President Joe Biden signed the James M. Inhofe National Defense Authorization Act for fiscal year 2023 into law.

One provision of the NDAA likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. government is the FedRAMP Authorization Act, which codifies the Federal Risk and Authorization Management Program by adding certain sections to Chapter 36 of Title 44, United States Code, which addresses the management and promotion of electronic government services.

In 2011, the Office of Management and Budget established FedRAMP to promote the adoption and use of secure cloud services across the government and is described by the FedRAMP Program Management Office as “providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.”

Since 2011, obtaining FedRAMP authorization has become a key step for cloud service providers doing business with the U.S. government, and service providers can receive authorizations at one of three impact levels — low, medium and high — which measure the potential impact to the government’s assets and operations should the cloud service be compromised.

Impact is measured across three security objectives: confidentiality, integrity and availability. To many, FedRAMP has become synonymous with cloud offerings targeted for use by the government, and the codification of the act implements important changes in the FedRAMP program that appear designed to further streamline the processes for adoption and use of cloud services by the government.

There are several key provisions that may be of interest to companies who provide or plan to provide cloud computing services to the government.

First, the act codifies the FedRAMP program within the General Services Administration, which will be required to implement various processes to facilitate administration of the FedRAMP program, including implementing “a process to support agency review, reuse and standardization, where appropriate, of security assessments of cloud computing products and services” and publishing guidance designed to “increase the speed, effectiveness, and transparency of the authorization process.”

Additionally, GSA is required to, in coordination with other stakeholders, “determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products.” It is possible that this requirement may lead to increased scrutiny of foreign-developed software in FedRAMP systems.

Next, the act establishes a FedRAMP board comprising no more than seven senior officials and experts from government agencies with “technical expertise in domains relevant to FedRAMP,” such as cloud computing, cybersecurity, privacy and risk management. The FedRAMP board is charged with providing “input and recommendations” related to the “requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.”

Further, the act establishes a “presumption of adequacy” for cloud computing services that have received FedRAMP authorization.

In addition, the act requires government agencies to confirm whether a cloud computing product or service has already received authorization prior to beginning the authorization process and, to the extent practicable, reuse existing assessments of security controls and materials.

Although the legislation caveats that agencies may still impose their own security requirements where necessary, this statutory presumption may help to reduce costs and effort for FedRAMP providers seeking to sell the same service to multiple government customers.

In addition, the act establishes the Federal Secure Cloud Advisory Committee, which will comprise no more than 15 “qualified representatives” from the government and the private sector, including at least one representative from an “independent assessment service” and at least five representatives from “unique businesses that primarily provide cloud computing services or products,” including at least two representatives from “a small business concern” as defined under the Small Business Act.

The committee is charged with providing advice and recommendations on “technical, financial, programmatic and operational matters regarding secure adoption of cloud computing products and services.”

Lastly, the act requires that any independent assessment service that assists FedRAMP with determining whether to use a cloud service must annually submit to GSA information relating to any foreign interest, foreign influence or foreign control of the service. Assessments services must also certify to the accuracy and completeness of this information and notify GSA within 48 hours of changes in foreign ownership or control.

The legislation, including its codification of key aspects of the existing program, signals not only that FedRAMP is here to stay, but that Congress is taking an increased interest in security oversight, including in the areas of software provenance and foreign influence.

U.S. contractors who provide or plan to provide cloud computing services to the government may wish to continue monitoring developments as the FedRAMP Authorization Act is implemented, including by monitoring guidance published by GSA in the future.

The authors are attorneys in the Washington, D.C., office of Covington and Burling LLP. Robert Huffman and Ryan Burnette also contributed to the article.

Topics: Defense Contracting

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES