Corrected: FedRAMP Bill Includes Transparency Provisions for New Advisory Council
The legislation would create a public-private advisory council that would be subject to most of the provisions of the Federal Advisory Committee Act.
Editor’s Note: A previous version of this story incorrectly characterized the applicability of the Federal Advisory Committee Act, which governs public access and record keeping of meetings for government officials to receive external input—typically from industry and other stakeholders–under new legislation. The story has been updated to correct the error.
---
A new bill making its way through Congress would create a public-private Federal Secure Cloud Advisory Committee to provide input for operation of the Federal Risk and Authorization Management Program, or FedRAMP.
FedRAMP is a 10-year-old program run by the General Services Administration that aims to increase agencies’ use of cloud services while avoiding security pitfalls by pre-approving their vendors.
The Office of Management and Budget requires agencies to use FedRAMP’s system of independent third-party assessment organizations to verify cloud providers’ security assertions, but the Government Accountability Office has reported agencies often bypass the program when making their acquisitions.
The bipartisan Federal Secure Cloud Improvement and Jobs Act of 2021, which cleared the Senate Homeland Security and Governmental Affairs Committee Dec. 15, would give FedRAMP the force of law, providing GSA and OMB with new authorities.
The GSA administrator would have the power to appoint members to the advisory committee, which would have to include representatives from cloud vendors—including small businesses—and certification organizations, in addition to government officials.
The advisory committee would be subject to the public access and transparency requirements of the Federal Advisory Committee Act, with one exception. Section 14 of the FACA, which generally requires such advisory committees to automatically dissolve after two years, would not apply.
A Senate Homeland Security Committee aide told Nextgov the sunset exemption was included in consideration of the bill’s overarching provision that new FedRAMP authorities would need to be reauthorized five years after the bill’s enactment.
“We said, ‘Well, we don't want [GSA] to have to go through this additional administrative paperwork exercise to reauthorize the committee because we're making the entire bill subject to the five-year sunset,’” the aide said.
NEXT STORY: Closing the CMMC training gaps