The Congressional Budget Office has provided a cost analysis for a bipartisan effort to improve the US government's cloud procurement standardization process, FedRAMP.

CBO found that FedRAMP Authorization Act, H.R.3941, would cost $100m over five years. But the bill's cosponsors claim that, should it pass, "significant" cost savings are expected.

Ramping up

For cloud services and related products to be used by federal agencies, vendors must go through a security evaluation to receive an authority to do business withthe government.

FedRAMP, operating within the General Services Administration, was meant to standardize this certification process and speed it up. But the initiative has proven slower and more expensive than expected. Sometimes vendors have been left waiting years for approval, instead of the expected six months.

“The Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy-in, a lack of metrics, and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Rep. Gerry Connolly, D-Va, who co-sponsored the bill with Republican representative Mark Meadows (NC), said when introducing H.R.3941 last year.

“Our bipartisan bill will streamline the FedRAMP process and reduce the redundancies in federal cloud migration, so federal agencies can modernize their IT and realize cost-efficiencies.”

Meadows added: “It’s critical that we streamline processes for [FedRAMP] to cuts costs, improve efficiency, and better facilitate modernization for their IT systems. I’m grateful to work with Gerry Connolly on this bipartisan legislation that will do just that."

The two congressmen, who have partnered to work on federal data center consolidation initiatives, tried to overhaul FedRAMP back in 2018, but that effort ultimately stalled.

H.R.3941 takes some of the lessons learned from the attempt, and focuses on seven areas:

1. Codify the Federal Risk and Authorization Management Program (FedRAMP) and defines the roles and responsibilities of federal agencies and independent assessment organizations to ensure appropriate security of cloud-based information technology (IT)
2. Reduces duplication of security assessments by establishing a presumption of adequacy
3. Facilitates agency reuse of FedRAMP authorized cloud products and agency compliance with FedRAMP requirements
4. Requires agencies to report their authorizations to operate
5. Ensures adequate authorization of resources to operate FedRAMP
6. Establishes metrics that can be tracked to ensure proper implementation of FedRAMP
7. Establishes the Federal Secure Cloud Advisory Committee

These changes, the sponsors attest, will speed up the process and lower costs. “Cloud computing is the future of technology. The Federal government must do better when it comes to acquiring cloud services, because cloud adoption leads to more modernized systems and more secure data,” Rep. Connolly said in a December 2019 working session.

“We cannot afford to repeat the siloed policies of the past that have led to spending $90 billion annually, much of it to simply maintain old legacy systems that are inefficient, expensive, and not encryptable."

In the session, The House Oversight and Reform Committee voted to advance the bill to the full House, where it still awaits a vote. Passing the committee also meant that that the CBO was mandated to provide a cost estimate, which was made public on February 3.

"H.R. 3941 would authorize the appropriation of $20 million annually for this program," the review states.

"The bill also would establish the Federal Secure Cloud Advisory Committee. Composed of 15 members, the committee would examine how the cloud process could be improved. Using information about the cost of other advisory committees, CBO estimates implementing this provision would cost about $3 million over the 2020-2025 period."

It continues: "Assuming appropriation of the specified and estimated amounts, CBO estimates that in total, implementing H.R. 3941 would cost $100 million over the 2020-2025 period, primarily to carry out the Federal Risk and Authorization Management Program."