FedRAMP

On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) into law.  As described in Covington’s Client Alert, FY23 NDAA: Provisions of Interest for Almost All Government Contractors, the FY23 NDAA contains provisions of interest for almost all U.S. Government contractors.  One provision likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government is the FedRAMP Authorization Act (the “Act”), which codifies the Federal Risk and Authorization Management Program (“FedRAMP”).

Of note, the Act creates a “presumption of adequacy” that cloud providers with authorization from one agency can use that authorization with other agencies. This is an expansion compared to the current process which allows authorizations by the FedRAMP Joint Authorization Board, but not authorizations from individual agencies, to serve as the basis for an agency’s own authorization process.  It also creates the Federal Secure Cloud Advisory Committee, comprised of 15 members of the public and private sector, to provide recommendations regarding FedRAMP and the acquisition of cloud services more generally.Continue Reading FY2023 NDAA Makes Notable Changes to FedRAMP Program

On July 24, 2015, the Defense Information Security Agency (“DISA”) issued three draft documents (available here for download) concerning the adoption of secure cloud computing systems by the Department of Defense (“DoD”).  DISA is tasked with developing DoD’s security requirements guides for cybersecurity policies, standards, architectures, security controls, and validation procedures.  Here, the just-released, draft documents are: (1) a Security Requirements Guide; (2) a Cloud Access Point Functional Requirements Document; and (3) a Concept of Operations for Cloud Computer Network Defense.  Any comments on these draft documents must be submitted to DISA by August 22, 2015.

Additional information regarding each of these three documents is provided below.
Continue Reading DoD Issues Three Cloud Computing and Security Documents for Public Comment

A major piece of IT acquisition reform legislation called the Federal Information Technology Acquisition Reform Act (“FITARA”), on which we have previously reported, was included in version of the National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) passed by the House on December 4, 2014, along with other significant IT reform provisions related to open systems requirements for the Department of Defense (“DoD”).

The FITARA portion of the bill includes provisions that would require the federal government to:

  • empower Chief Information Officers (“CIOs”) and prevent the CIO from delegating the duty of reviewing IT contracts before the agency enters into the contract;
  • provide a publicly available list for each major information technology investment, both new and existing, that lists information specified in forthcoming investment evaluation guidance;
  • engage in a detailed review of high-risk information technology investments to identify problems;
  • inventory all information technology;
  • implement a federal data center consolidation initiative, which will include publicized goals regarding cost savings and optimization improvements to be achieved as a result of the initiative, and must be performed consistent with federal guidelines on cloud computing and cybersecurity such as FedRAMP and NIST guidelines;
  • expand the use of specialized IT acquisition experts;
  • develop a federal strategic sourcing initiative to be developed by GSA, which will allow for the use of governmentwide user license agreements.

Additional provisions require the use of open and modular strategies by the DoD, including the following requirements
Continue Reading Federal Information Technology Reform Act Included in the House-Passed NDAA FY 15