Good things can come both to those who wait – and never stop trying – in Washington.
That’s one of the top-line takeaways after talking with Stephen Kovac, Chief Compliance Officer at cloud security provider Zscaler, following the successful conclusion late last month of a multi-year campaign to codify into law the Federal Risk and Authorization Management Program (FedRAMP).
The 11-year-old FedRAMP program is operated by the General Services Administration (GSA) to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies. Zscaler maintains moderate and high FedRAMP authorization for its Zero Trust Exchange platform.
The Long Road
Kovac said in an interview with MeriTalk that the new law was a long-time coming, and the product of a strong, bipartisan effort on Capitol Hill.
He credited hard work by Rep. Gerry Connolly, D-Va., who led the charge on the House side over more than five years and Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio – the chair and former ranking member of the Senate Homeland Security and Governmental Affairs Committee – for pushing the legislation on the Senate side, led by Senior Professional Staff Member Matthew Cornelius, and other key staffers.
Kovac has been in the vanguard of private-sector experts pushing to get FedRAMP written into the law. His effort were many, including testifying in favor of the bill on the Hill several times during the multi-year saga.
“Five years in the making to try to get FedRAMP codified,” Kovac observed, adding that most bills that take this long to make it through the legislative process never quite get there. “It’s a credit to its congressional supporters that this bill was important enough to not give up,” he added.
“As everyone knows, it’s hard to get anything done these days in a stand-alone fashion,” Kovac said, speaking of the years-long effort at FedRAMP codification that included multiple fits and starts, finally concluding with this year’s version of the bill included in the Fiscal Year 2023 National Defense Authorization Act, which was signed by President Biden on Dec. 23.
“For whatever reason, this year was different. They had to find the right way to get it in, and they got it done,” Kovac said. “There were some pretty big hitters that pushed this thing over the line.”
The version of the FedRAMP legislation included in the NDAA was previously approved by the House on Sept. 29. The measure was introduced by Rep. Gerry Connolly, D-Va., then chairman of the House Government Operations Subcommittee and a long-time champion of Federal IT issues in the U.S. House.
The bill approved in September represents an updated version of a similar FedRAMP codification bill that passed the House in early 2021, reflecting changes that aligned it with the version of the bill that had been introduced in the U.S. Senate, with subsequent input from the Biden administration. The bill as enacted:
- Codifies the FedRAMP program into Federal law;
- Aims to encourage reuse of security assessments and other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification;
- Facilitates the use of cloud technologies that have already received an authorization-to-operate (ATO) by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own;
- Requires that GSA work toward automating its processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increased efficiency for both providers and agencies; and
- Establishes a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the Federal government.
Notable changes in the approved version of the bill – versus its preceding version – include:
- Requiring that members of the FedRAMP Joint Authorization Board are technical experts; and
- Requiring transparency for any foreign interest or control of an independent assessment service.
Small Program, Big Impact
The FedRAMP program – which runs with just a tiny handful of staff and a few dozen contractors supporting it – is a small-budget program that has an outsized impact.
Both Kovac – and Congress – pointed to the much larger economic stakes of the program and the avenue it provides for government agencies to use authorized cloud services, in arguing that the program needed to become law, and that higher funding should be next.
The Zscaler executive pointed to the program’s nearly 300 cloud service provider authorizations to date, which he said equates to “billions and billions” of dollars of cloud spend by Federal agencies.
The FedRAMP bill approved by the House last September framed the economic stakes somewhat differently, but with similarly large economic ramifications. It says that the size of the cloud computing market tripled from 2004 to 2019, “enabling more than 2,000,000 jobs and adding more than $200,000,000,000 to the gross domestic product of the United States.”
Kovac also pointed out that while the FedRAMP program office has its own budget, the cloud service approval process is vendor-funded.
With the program now law, the Federal government has the opportunity to continue to strengthen cloud security, implement consistent security controls across agencies large and small, and significantly expand the number of solutions authorized, which is critical, Kovac said.
When a non-authorized cloud provider goes around the system and gets an authority to operate with a Federal agency, that, “in my opinion causes a huge security risk for our government,” Kovac said. “Non FedRAMP-authorized providers may not have the right security protocols in their offerings.”
While the language of the legislation charts a timeline for putting in place structural changes to the FedRAMP program, a lot of other vital pieces to the program – like leadership and funding – are still up in the air.
Kovac said he would like to see the FedRAMP program office leadership position finalized. Today it is led by an acting director, but the program needs a stable long-term permanent director. “I am a big supporter of Brian Conrad who is in the role now and doing a great job,” he said, adding, “I hope they make that decision soon.”
“Next is for leadership to figure out how to properly resource the program,” he said. “That’s step number one in my opinion – you have to fund it appropriately, and number two, you’ve got to continue to make it more efficient. The PMO has come a long way but there is still work to be done, I am very confident that the leadership there can make it happen if given the necessary resources.”
On the program funding question, Kovac was optimistic, saying, “I don’t think we’re going to have a problem getting it funded, the question is to what level.”
With the program codified, the hope and expectation is that GSA will request and Congress will provide the resources through the GSA budget that will help meet FedRAMP’s expanded and growing mission, Kovac said.
“The program needs more dedicated resources and tools to automate and speed processes and increase the program’s capacity to certify more products.”
“You compare it with other program’s budgets like the Continuous Diagnostics and Mitigation (CDM) program” run by the Cybersecurity and Infrastructure Security Agency (CISA), said Kovac, and then consider that the contract value of cloud services to the Federal government runs into the billions of dollars per year – and will continue to grow. It is clear FedRAMP is underfunded.
Kovac said he thinks the program currently is funded annually to $25 million, but should be funded at $50 million per year “if you really wanted to do it right.”
“$50 million in year one is a reasonable funding number for the program,” he said. “That can be done by Congress increasing GSA’s budget for the program, or something more creative such as adding a FedRAMP service fee to the contracts, like other GSA contracts do today. Either way that is the next biggest challenge that FedRAMP and industry must work together to solve.”
“Could you do it at $25 million,” he asked, while at the same time saying, “it is a good start, but is that really going to fix it? To me that is like putting a cork in a leaking dam.”