The Fiscal Year (FY) 2023 National Defense Authorization Act (NDAA) bill released by the House Rules Committee late Tuesday evening features legislation approved by the House in September to codify into law and update the Federal Risk and Authorization Management Program (FedRAMP).
Since the NDAA is widely considered to be “must-pass” legislation in the current session of Congress, chances are good that the FedRAMP measure sticks in the legislation. The NDAA has already been the subject of intense negotiations between House and Senate leadership on both sides of the aisle, so the bill that landed last night already reflects agreement between the parties on major issues.
Capitol Hill sources told MeriTalk today that the House is expected to vote on the NDAA tomorrow, while the Senate is expected to take up the bill next week.
At the top line, the bill would green-light $847 billion of spending, including $816 billion for Defense Department (DoD) “discretionary base” funding, and $30.3 billion for Energy Department (DoE) “discretionary base” funding. The FY2023 spending total is way up from the $768 billion in spending approved under the FY2022 version of the legislation approved by Congress.
Also headlining the FY2023 NDAA is a 4.6 percent increase in basic pay for military service members – matching the pay increase in the works for the Federal civilian workforce in FY2023 regular appropriations legislation that still needs to be considered by Congress.
The bill also drops consideration of language that would require vendors to provide a software bill of materials (SBOM) on the technology they provide to government agencies. Tech trade groups including the Alliance for Digital Innovation (ADI) urged the House and Senate Armed Services committees to remove language on SBOM from the bill in order to give the government and industry more time to work out solutions to improve cybersecurity in supply chains.
The chairs and ranking members of both committees presented a united front today in urging passage of the bill.
“We are pleased to announce we’ve come to a bipartisan, bicameral agreement on this year’s National Defense Authorization Act,” said Reps. Adam Smith, D-Wash., and Mike Rogers, R-Ala., and Sens. Jack Reed, D-R.I., and Jim Inhofe, R-Okla.
“This year’s agreement continues the Armed Services Committees’ 62-year tradition of working together to support our troops and strengthen America’s national security,” they said. “We urge Congress to pass the NDAA quickly and the president to sign it when it reaches his desk.”
The FedRAMP legislation included in the NDAA was approved by the House on Sept. 29. The measure was introduced by Rep. Gerry Connolly, D-Va., chairman of the House Government Operations Subcommittee and a long-time champion of Federal IT issues in the House.
The 11-year-old FedRAMP program is operated by the General Services Administration (GSA) to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
The bill approved in September represents an updated version of a similar FedRAMP codification bill that passed the House in early 2021, and includes subsequent input from the Biden administration. The bill would:
- Codify the FedRAMP program into Federal law;
- Reduce duplication of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification;
- Facilitate the use of cloud technologies that have already received an authorization-to-operate by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own;
- Require that GSA work toward automating its processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increased efficiency for both providers and agencies; and
- Establish a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the Federal government.
Notable changes in the approved version of the bill – versus its preceding version – include:
- Streamlining the Federal Advisory Committee to create a better feedback loop from agencies and cloud service providers;
- Requiring that members of the FedRAMP Joint Authorization Board are technical experts; and
- Requiring transparency for any foreign interest or control of an independent assessment service.
The drive to require SBOMs from software providers stems from President Biden’s cybersecurity executive order signed in May 2021. The administration is moving forward with that aspect of the order, and most recently the Office of Management and Budget (OMB) issued marching orders to Federal agencies to take action to comply with National Institute of Standards and Technology (NIST) guidance for the use of secure supply chain software.
Inclusion of SBOM provisions in the FY2023 NDAA, however, drew strong opposition from industry groups including ADI.
The trade group – which counts as members tech behemoths such as Amazon Web Services and Google Cloud – argued that SBOMs will not achieve the desired utility for agencies at this point due to a lack of standardization. Before including language in the NDAA, they said, it needs to be matured.
“ADI and other trade associations have urged Congress to remove the SBOM language from the NDAA and give industry and agencies more time to develop solutions that will better secure the country’s cybersecurity supply chain,” the group said.
In a statement today, ADI applauded the willingness of the House and Senate Armed Services committees to consider industry input on the legislation, and applauded their work to “provide the Department of Defense with authorization through the NDAA to invest in modern, cloud-based infrastructure and applications.”
“Specifically, ADI is encouraged that Congress heard industry’s concerns regarding Software Bill of Materials (SBOM) requirements,” the group said. “The removal of this language will benefit current administration and industry efforts to develop a standardized approach to SBOMs across Federal civilian and defense agencies. ADI will continue to work with the administration and Congress to implement secure software development practices, mature SBOMs, and improve the nation’s security.”
ADI also applauded inclusion of the FedRAMP legislation in the NDAA.
“Authorizing FedRAMP is the first step to fully and robustly resourcing the program so that it can accredit the many cloud based technologies the government needs,” the group said.
“Rep. Connelly, Rep. Comer, Sen. Peters, and Sen. Portman deserve credit for pushing this legislation over the finish line,” the group added. “ADI will continue to work closely with GSA and the FedRAMP PMO to improve the processes and throughput to continue to facilitate secure, modern cloud based environments across the government.”