The Government Services Administration’s cloud security project, the Federal Risk and Authorization Management Program (FedRAMP), has been codified and funded by the U.S. House of Representatives.  The legislation supports the program with up to $20 million each year for the next five years and provides mandates designed to increase efficiency.

FedRAMP was initially established eight years ago to create standardization for Federal Government
agencies in their approach to cloud security and risk management.  The current focus of the program is going to be automation, starting with the government approval process and eventually expanding to include document validation and continuous monitoring functions.

The goal now is to get the security documents needed for vendor approval into a machine-readable format so that the government, with input from the private sector, can find the best path forward for automation.  This process is already underway as at the end of 2019, FedRAMP released a draft of their System Security Plan written entirely in XML and JSON.

The end result of vendors going through this process is that they receive an ATO, or Authority to Operate, allowing them to work with the Federal Government.  While the Department of Defense created a rule allowing for them to use the ATOs of other agencies for moderate security level cloud products, this new House bill would require agencies’ default stance to be reusing existing ATOs.

This “presumption of adequacy,” as the bill’s author, Rep. Gerry Connolly (D-VA) calls it, will reduce duplication in vendor security evaluations, making procurement a more efficient process, but also potentially
opening up opportunities for smaller vendors that could be stymied by repeated arduous evaluations.  Obviously, though, we’ll have to watch for the unintended consequences of the bill, as it could create a scenario in which entrenched government vendors are difficult to unseat thanks to their ATO status.

The bill passed the House via a voice vote and will move to the Senate next, although no timetable has
been established.

At Extract, we know the importance of security, particularly since our software handles personally identifiable information for our clients.  This is why, throughout our redaction and indexing processes, we keep files behind our clients’ firewalls, minimizing any exposure the data might have.  We’ve redacted over five billion pages without any reported data privacy breaches.

If you’d like to learn more about Extract’s approach to keeping your sensitive data safe, please reach out today.

About the Author: Chris Mack

Chris is a Marketing Manager at Extract with experience in product development, data analysis, and both traditional and digital marketing.  Chris received his bachelor’s degree in English from Bucknell University and has an MBA from the University of Notre Dame.  A passionate marketer, Chris strives to make complex ideas more accessible to those around him in a compelling way.