Rep. Gerry Connolly, D-Va., long a prime mover on Federal technology policy issues in Congress, said today that he is committed to encouraging further adoption of cloud services by the Federal government “through continued FITARA (Federal Information Technology Acquisition Reform Act) oversight hearings” by the House Oversight and Accountability Committee.
Those oversight hearings, and the creation of the semi-annual FITARA Scorecard, have been a fixture of the committee’s Federal agency technology oversight lineup since 2015. The scorecard grades the 24 Federal CFO Act agencies for their performance in several IT-related categories.
The most recent scorecard hearing was held last December, and there’s no word yet on when the next iteration may come. Rep. James Comer, R-Ky., took over as full committee chairman earlier this year, with Rep. Nancy Mace, R-S.C., taking the gavel of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
Speaking today at an event organized by Carahsoft and GovExec, Rep. Connolly pointed to the tangible value of FITARA oversight in Congress and noted that the committee’s action to push agencies to consolidate and eliminate data centers has yielded savings of $4.7 billion. “Not many bills can claim that kind of savings,” he said.
“New toys and innovations are fun, and they can help agencies meet their missions,” he said, “but getting the fundamentals right is what ensures government can deliver for our constituents, and then that’s exactly what I plan to continue to do.”
FedRAMP Law Impact
Rep. Connolly talked about the importance of Congress’ passage late last year of legislation he sponsored for the past several years to codify the FedRAMP (Federal Risk and Authorization Management Program) program into Federal law, and make a long list of improvements to the program. Those include the following provisions:
- Encouraging reuse of security assessments and easing other obstacles to agency adoption of cloud products by establishing a “presumption of adequacy” for cloud technologies that have received FedRAMP certification;
- Facilitating the use of cloud technologies that have already received an authorization-to-operate (ATO) by requiring agencies to check a centralized and secure repository and, to the extent practicable, reuse any existing security assessment before conducting their own;
- Requiring that GSA work toward automating its processes, which will lead to more standard security assessments and continuous monitoring of cloud offerings, and increased efficiency for both providers and agencies; and
- Establishing a Federal Secure Cloud Advisory Committee to ensure dialogue among GSA, agency cybersecurity and procurement officials, and industry for effective and ongoing coordination in acquisition and adoption of cloud products by the Federal government.
“Last year’s enactment will protect those who invested millions in FedRAMP authorizations against potential wholesale changes to the program by any future presidential administration,” Rep. Connolly said.
He also hailed the bill’s creation of the Federal Secure Cloud Advisory Committee, which he said will ensure that “concerns related both to time and cost can be addressed as part of Congress’s ongoing oversight of the FedRAMP PMO.”
The advisory committee, he said, “will ensure effective and ongoing coordination of agency adoption, use authorization, monitoring, acquisition and security of cloud computing products and services to enable agency mission and administrative priorities.”
Policy Lookahead
Rep. Connolly also pointed to the growth in the FedRAMP program, and its increasing importance to government agencies going forward as cloud use expands.
Currently, he said, the program boasts more than 300 cloud service offerings, 160 Federal agencies participating, and more than 1,900 re-uses by agencies of cleared services. “That’s a lot of progress, as compared to the early days of FedRAMP,” the congressman said.
“Federal software vendors with cloud-based solutions have overwhelmingly applied for FedRAMP authorization, and it’s projected that FedRAMP High will over the next one to three years become the minimum standard,” he said.
“Looking at those numbers, it is unsurprising that FedRAMP has become an essential element of how the Federal government modernizes its own IT systems and ensures that the cloud-based solutions it acquires are cyber resilient,” the congressman said.
“In fiscal year 2022, the Federal government spent a total of $12.3 billion on cloud goods and services – that’s a 30 percent increase from just a year before,” he said. “This trajectory makes it clear that cloud adoption will continue to escalate at a very rapid pace.”
At the bottom line, he said, cloud services allow Federal agencies to improve security, and to scale service use. On that last point, he said, “this flexibility allows the government to capture previously unavailable cost savings.”
Looking ahead on the policy front, Rep. Connolly said, “we also need to work to optimize our data and I look forward to working with the administration to more efficiently scope our cloud contracts to fit the Federal government’s needs.”
“While our government should embrace ways to improve federal agencies capabilities, through rapid cloud adoption, it must be done right,” he said.
He cited recent research outlining four challenges that Federal agencies need to address to “fully realize the benefits of transitioning to cloud services,” including attracting a skilled IT workforce, making sure that cloud contracts properly state service and performance expectations, requiring agencies to accurately track and record cloud spending and savings, and putting in place a standardized approach to selecting cloud services that meet “robust Federal security requirements.”
“The government’s cloud security risks do not stop at the bounds of its Federal networks,” he said. “Industries – highly regulated but not controlled by the Federal government especially those designated as critical infrastructure sectors – are experiencing increasing rates of cloud adoption.”
“Therefore, we must ask ourselves if our current policy tools are effective, and governing clouds, increasing complexity and criticality,” the congressman said.