To the Cloud! The Cloudy Role of FedRAMP in IT Modernization

Date: 
Wednesday, July 17, 2019 - 11:00am
Location: 
2154 Rayburn House Office Building, Washington, DC 20515
“To the Cloud! The Cloudy Role of FedRAMP in IT Modernization”

CHAIRMAN CONNOLLY'S OPENING STATEMENT

PURPOSE

The Office of Management and Budget (OMB) established FedRAMP in December 2011 to provide joint authorizations and continuous security monitoring services for cloud services for all federal agencies.1 FedRAMP seeks to provide a cost-effective, risk-based approach for the adoption and use of cloud services by standardizing security requirements for the authorization and ongoing cybersecurity assessments of cloud services for information systems. The hearing will examine the extent to which FedRAMP has reduced duplicative efforts, inconsistencies, and cost inefficiencies associated with cloud security authorization process. 

BACKGROUND

The Office of Management and Budget (OMB) established FedRAMP in December 2011 to provide joint authorizations and continuous security monitoring services for cloud services for all federal agencies.

FedRAMP seeks to provide a cost-effective, risk-based approach for the adoption and use of cloud services by standardizing security requirements for the authorization and ongoing cybersecurity assessments of cloud services for information systems.

The federal government spends roughly 80 percent of its $90 billion in IT spending on operations and maintenance of existing systems, including many legacy systems.   Programs like FedRAMP are critical to accelerating the government’s adoption of modern and improved IT solutions. 

The 2019 Federal Cloud Computing Strategy, CloudSmart, reported on some of FedRAMP’s challenges and the continued need for process evolution and standardization.  It stated that “a lack of reciprocity across agencies when adopting FedRAMP authorizations has led to significant duplication of effort when assessing security for product deployment.  In addition, a large number of agency-specific processes has made it complicated for agencies to issue an Authorization to Operate (ATO) for solutions, even when using existing authorized cloud service providers.”

WITNESSES

Panel One

Mr. Anil Cheriyan
Director, Technology Transformation Services
General Services Administration

Mr. Jack Wilmer
Deputy Chief Information Officer for Cybersecurity
U.S. Department of Defense

Mr. Joseph Klimavicz
Deputy Assistant Attorney General and Chief Information Officer
U.S. Department of Justice

Mr. Jose Arrieta
Chief Information Officer
U.S. Department of Health and Human Services

Panel Two

Mr. Jonathan Berroya
Senior Vice President and General Counsel
Internet Association

Mr. Douglas Barbin
Principal
Schellman & Company, LLC

Mr. Will Ackerly
Chief Technology Officer
Virtu

Ms. Lynn Martin
Vice President of Government, Education, and Healthcare
VMware

116th Congress