On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) into law. As described in Covington’s Client Alert, FY23 NDAA: Provisions of Interest for Almost All Government Contractors, the FY23 NDAA contains provisions of interest for almost all U.S. Government contractors. One provision likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government is the FedRAMP Authorization Act (the “Act”), which codifies the Federal Risk and Authorization Management Program (“FedRAMP”).
Of note, the Act creates a “presumption of adequacy” that cloud providers with authorization from one agency can use that authorization with other agencies. This is an expansion compared to the current process which allows authorizations by the FedRAMP Joint Authorization Board, but not authorizations from individual agencies, to serve as the basis for an agency’s own authorization process. It also creates the Federal Secure Cloud Advisory Committee, comprised of 15 members of the public and private sector, to provide recommendations regarding FedRAMP and the acquisition of cloud services more generally.
The Act adds certain sections to Chapter 36 of Title 44, United States Code, which addresses the management and promotion of electronic government services. Key provisions that may be of interest to U.S. Government contractors who provide or plan to provide cloud computing services to the U.S. Government include:
- Codifying the FedRAMP Program within GSA and Requirements to Identify and Assess Software Provenance. The Act codifies the FedRAMP program within the General Services Administration (“GSA”). GSA will be required to implement various processes to facilitate administration of the FedRAMP program, including implementing “a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services” and publishing guidance designed to “increase the speed, effectiveness, and transparency of the authorization process.” See § 3609. Additionally, GSA is required to, in coordination with other stakeholders, “determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products.” It is possible that this requirement may lead to increase scrutiny of foreign developed software in FedRAMP systems.
- Establishing the FedRAMP Board. The FedRAMP Board will be comprised of no more than seven senior officials and experts from U.S. Government agencies with “technical expertise in domains relevant to FedRAMP,” such as cloud computing, cybersecurity, privacy, and risk management. The FedRAMP Board is charged with providing “input and recommendations” related to the “requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.” See § 3610.
- Creating a Presumption of Adequacy. The Act establishes a “presumption of adequacy” for cloud computing services that have received a FedRAMP authorization. In addition, the Act requires U.S. Government agencies to confirm whether a cloud computing product or service has already received authorization prior to beginning the authorization process and, to the extent practicable, reuse existing assessments of security controls and materials. See § 3613. Although the legislation caveats that agencies may still impose their own security requirements where necessary, this statutory presumption may help to reduce costs and effort for FedRAMP providers seeking to sell the same service to multiple Government customers.
- Establishing the Federal Secure Cloud Advisory Committee (the “Committee”). The Committee will be comprised of no more than fifteen “qualified representatives” from the U.S. Government and the private sector, including at least one representative from an “independent assessment service” and at least five representatives from “unique businesses that primarily provide cloud computing services or products,” including at least two representatives from “a small business concern” as defined under the Small Business Act. The Committee is charged with providing advice and recommendations on “technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.” See § 3616.
- Foreign Interests of Independent Assessment Services. The legislation requires that any independent assessment service that assists FedRAMP with determining whether to use a cloud service must annually submit to GSA information relating to any foreign interest, foreign influence, or foreign control of the service. Assessments services must also certify to the accuracy and completeness of this information, and notify GSA within 48 hours of changes in foreign ownership or control.
The legislation, including its codification of key aspects of the existing FedRAMP program, signals not only that the FedRAMP program is here to stay, but that Congress is taking an increased interest in security oversight, including in the areas of software provenance and foreign influence. U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government may wish to continue monitor developments as the FedRAMP Authorization Act is implemented, including by monitoring guidance published by GSA in the future.