On December 23, 2022, President Biden signed the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (the “FY2023 NDAA”) into law.  As described in Covington’s Client Alert, FY23 NDAA: Provisions of Interest for Almost All Government Contractors, the FY23 NDAA contains provisions of interest for almost all U.S. Government contractors.  One provision likely to be of particular interest to U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government is the FedRAMP Authorization Act (the “Act”), which codifies the Federal Risk and Authorization Management Program (“FedRAMP”).

Of note, the Act creates a “presumption of adequacy” that cloud providers with authorization from one agency can use that authorization with other agencies. This is an expansion compared to the current process which allows authorizations by the FedRAMP Joint Authorization Board, but not authorizations from individual agencies, to serve as the basis for an agency’s own authorization process.  It also creates the Federal Secure Cloud Advisory Committee, comprised of 15 members of the public and private sector, to provide recommendations regarding FedRAMP and the acquisition of cloud services more generally.

The Act adds certain sections to Chapter 36 of Title 44, United States Code, which addresses the management and promotion of electronic government services.  Key provisions that may be of interest to U.S. Government contractors who provide or plan to provide cloud computing services to the U.S. Government include:

  • Codifying the FedRAMP Program within GSA and Requirements to Identify and Assess Software Provenance.  The Act codifies the FedRAMP program within the General Services Administration (“GSA”).  GSA will be required to implement various processes to facilitate administration of the FedRAMP program, including implementing “a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services” and publishing guidance designed to “increase the speed, effectiveness, and transparency of the authorization process.”  See § 3609.  Additionally, GSA is required to, in coordination with other stakeholders, “determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products.”  It is possible that this requirement may lead to increase scrutiny of foreign developed software in FedRAMP systems.
  • Establishing the FedRAMP Board.  The FedRAMP Board will be comprised of no more than seven senior officials and experts from U.S. Government agencies with “technical expertise in domains relevant to FedRAMP,” such as cloud computing, cybersecurity, privacy, and risk management.  The FedRAMP Board is charged with providing “input and recommendations” related to the “requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.”  See § 3610.
  • Creating a Presumption of Adequacy.  The Act establishes a “presumption of adequacy” for cloud computing services that have received a FedRAMP authorization.  In addition, the Act requires U.S. Government agencies to confirm whether a cloud computing product or service has already received authorization prior to beginning the authorization process and, to the extent practicable, reuse existing assessments of security controls and materials.  See § 3613.  Although the legislation caveats that agencies may still impose their own security requirements where necessary, this statutory presumption may help to reduce costs and effort for FedRAMP providers seeking to sell the same service to multiple Government customers.
  • Establishing the Federal Secure Cloud Advisory Committee (the “Committee”).  The Committee will be comprised of no more than fifteen “qualified representatives” from the U.S. Government and the private sector, including at least one representative from an “independent assessment service” and at least five representatives from “unique businesses that primarily provide cloud computing services or products,” including at least two representatives from “a small business concern” as defined under the Small Business Act.  The Committee is charged with providing advice and recommendations on “technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.”  See § 3616.
  • Foreign Interests of Independent Assessment Services.  The legislation requires that any independent assessment service that assists FedRAMP with determining whether to use a cloud service must annually submit to GSA information relating to any foreign interest, foreign influence, or foreign control of the service.  Assessments services must also certify to the accuracy and completeness of this information, and notify GSA within 48 hours of changes in foreign ownership or control.

The legislation, including its codification of key aspects of the existing FedRAMP program, signals not only that the FedRAMP program is here to stay, but that Congress is taking an increased interest in security oversight, including in the areas of software provenance and foreign influence.  U.S. contractors who provide or plan to provide cloud computing services to the U.S. Government may wish to continue monitor developments as the FedRAMP Authorization Act is implemented, including by monitoring guidance published by GSA in the future.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.