Rep. Mace questions GSA’s plan for replacing FedRAMP JAB
Rep. Nancy Mace (R-S.C.), chairwoman of the Oversight and Accountability Subcommittee on Cybersecurity, IT and Innovation, is asking for a briefing by Oct. 3.
The General Services Administration is facing new questions from a powerful House lawmakers over its plans to modernize the cloud security program known as FedRAMP.
Congresswoman Nancy Mace (R-S.C.), chairwoman of the Oversight and Accountability Subcommittee on Cybersecurity, IT and Innovation, wants both documents and a briefing by GSA on its plans to make sure cloud service providers (CSPs) have a clear understanding of their path to receive an authorization.
At the center of the Mace’s concerns is the transition away from the Joint Authorization Board (JAB) model toward the new approach where the FedRAMP Program Management Office oversees and manages authorizations for broadly-used cloud services.
“The administration created a bottleneck in this vital process, however, when it chose to shut down an existing FedRAMP authorization pathway before putting in place an alternative solution. What’s more, GSA left in limbo cloud service providers (CSPs) who invested time and resources in the now-defunct authorization process. Ultimately, unnecessarily delayed authorizations may reduce availability of cloud products and services to agencies,” Mace wrote in a letter to GSA Administrator Robin Carnahan, which Federal News Network obtained. “It remains unclear when and how CSPs previously prioritized for JAB authorization will be eligible for program authorization. This has resulted in continued uncertainty for CSPs that have already waited nearly a year for clear guidance on what the JAB transition means for them.”
The Office of Management and Budget and GSA outlined the plan to replace the JAB with a new FedRAMP Board and move some of the JAB’s responsibilities to the PMO.
“FedRAMP remains committed to ensuring we continue holding cloud services to the high security bar people expect from FedRAMP. We have been accelerating our development of a rigorous program authorization process to ensure that cloud service offerings prioritized by the JAB have a path to FedRAMP authorization,” said a GSA spokesperson in an email to Federal News Network.
Drew Myklegard, the federal deputy chief information officer, said in July when OMB released the updated guidance for FedRAMP that PMO will address current CSPs with JAB authorizations and those already in the process.
Eric Mill, the executive director for cloud strategy at GSA, said in July that the future program authorizations will be CSPs who don’t have an agency sponsor.
“What we are doing right now is making sure that they are a tool at our disposal to help agencies that were prioritized by the JAB before they stopped taking in new cloud providers, and cloud providers who have done lots of work, in some cases, to prepare for what the government’s reasonable expectation that had been set that they would go through that process,” Mill said. “Our commitment to them that we’ve made privately and publicly is that we’re going to get them through the process. For a number that do have an agency sponsor, and what may or may be one or more agencies that will help them through. That is probably going to be the most straightforward way for some of them who have those relationships. For others, we will be using our program authorizations to do that process. We’re going to learn a lot from that. I think that will help us establish what the criteria are, and the strategic approach for how we use them widely.”
Disruption to FedRAMP process
Mace, however, said in her letter that GSA doesn’t have a clear transition strategy and there has certainly been disruption to CSPs with authorization processes that were actively underway.
The committee obtained an email from FedRAMP PMO to a CSP that highlighted this confusion.
“In the email, the FedRAMP team told at least one of these CSPs that, ‘Until a pilot process is ready for implementation, the only way a cloud service offering can be FedRAMP authorized is using the existing approved agency sponsorship path that was not changed by the recent memorandum,’” Mace wrote. “It remains unclear when and how CSPs previously prioritized for JAB authorization will be eligible for program authorization. This has resulted in continued uncertainty for CSPs that have already waited nearly a year for clear guidance on what the JAB transition means for them.”
Mace is requesting a briefing from GSA by Oct. 3 focused on five questions, including how long will it take for the PMO to establish the new program to authorize multi-agency authorizations and why did the FedRAMP PMO change its position with regard to the authorization process for CSPs that were actively underway?
Additionally, Mace would like GSA to provide documents by Oct. 10 related to the FedRAMP policy changes and anything provided to the CSPs regarding the decision to move away from the JAB and the creation of the new authorization process.
“Our federal agencies face unprecedented cybersecurity threats. FedRAMP allows these agencies to safely use cloud products and services. The current bottleneck in FedRAMP is an unforced error by OMB and GSA; it will delay agency access to critical cloud technology and erode the trust of the government’s essential business partners,” Mace said in an email to Federal News Network.
GSA owes Congress a plan
An email to OMB seeking comment on Mace’s letter was not immediately returned.
“In the FedRAMP Authorization Act, we did everything we could to preserve the JAB authorization pathway,” said Rep. Gerry Connolly (D-Va.), ranking member of the subcommittee and co-author of the FedRAMP act. “The administration has decided to go in a different direction. If they are going to do that, they owe Congress and stakeholders a plan. The limbo experienced by cloud service providers who were going through the JAB authorization process has gone on for far too long.”
OMB and GSA have been working on updating and modernizing the FedRAMP program for more than 18 months.
In March, GSA outlined 28 near-term initiatives to bring in automation, test out reciprocity and speed up reviews. As part of that effort, the PMO launched two new pilots in July focused on testing out how to use secure software delivery approaches to accelerate the “significant change request” process and another one to bring more automation to the program through the development, validation and submission of digital authorization packages.