Congress shouldn’t overlook FedRAMP funding in 2016 budget

FedRAMP is an important tool for making government cloud computing more secure. Not fully funding it would be a mistake.


Many in Washington, D.C., are well aware of the double-digit increase in the cyber budget that the president requested earlier this year. Overall, the need for more resources to prevent cyber incursions and protect sensitive data is widely accepted.

That’s why it’s important Congress not overlook a small provision in the General Services Administration 2016 budget proposal to support a little-known but crucial governance group called the Federal Risk and Authorization Management Program, or FedRAMP, that will help enhance the security of government data.

FedRAMP is charged with standardizing security assessments for cloud systems across government. While underappreciated, these standardization efforts are vital to improving the security of government data.


This effort is more critical than ever, with cyber breaches on the rise in the private and public sectors — all the more after the Office of Personnel Management reported it had millions of records comprised. Breaches like this can be prevented, and programs like FedRAMP can help. But the government could also take additional steps to make FedRAMP even more effective.

How FedRAMP and CJIS improve cloud security

The GSA established FedRAMP in late 2011 to provide a “cost-effective, risk-based approach for the adoption and use of cloud services.” Practically speaking, FedRAMP guidelines ensure that a third-party assessor must validate the security practices of a cloud service provider before its services can be used widely in government. Since the program’s inception, more than 25 cloud service providers have had their services certified, including large companies such as IBM, Amazon and Microsoft.

Concurrently, the FBI announced in 2012 that its cloud providers must meet another stringent set of security benchmarks designed to protect the security of criminal justice information in cloud systems, known as CJIS standards. Thanks to these important standards, cloud providers are required to protect information such as fingerprints and facial recognition data as it is shared among law enforcement agencies at the federal, state and local levels.

In today’s law enforcement community, video surveillance has become increasingly important. To that end, the International Association of Chiefs of Police, or IACP, just released guidelines that build on CJIS to help government agencies protect large amounts of video data. IACP is the largest organization of police executives across the globe, developing policy guidance to address the needs of today’s evolving law enforcement landscape.


Following the increase of breaches within police agencies, coupled with the rise of body-worn camera programs, the need to store data at the highest level of security is paramount. Moving forward, these updated guidelines from IACP will offer protections to law enforcement and citizens alike.

A call to action

It is not unique for multiple government agencies — such as the GSA and the FBI in this case — to work on the same or similar priorities in overlapping ways. The challenge lies in integrating these efforts to produce the best outcomes for all stakeholders.

With this in mind, there are two distinct steps the government can take to improve cloud security via the FedRAMP program:

1. GSA should incorporate CJIS standards into its FedRAMP requirements. Specifically, the agency should update its FedRAMP Forward plan — a recently released guide for the next two years of the program. The plan should be amended to include approval of CJIS standards in the next 12 months and the implementation of CJIS as part of the authorization process by year two. Last fall, the FBI updated the policies that prescribe methods of data collection, transmission, storage and destruction to establish a consistent level of data protection.


These updated policies should be taken in tandem with the IACP’s new data-protection suggestions. The incorporation of CJIS standards and the IACP guidelines will help validate what is really happening with data in transit or at rest, which is also the purpose of FedRAMP’s third-party assessors. Building on these standards will enhance the security of data intersecting cloud systems and unify standards across government.

2. When approving the budgets for the FBI and GSA, Congress should encourage the agencies to adopt CJIS standards within FedRAMP. Specifically, Congress should insert language into its appropriations bills directing the agencies to work together and incorporate these standards. Making these standards the norm will align requirements across all federal government agencies, including law enforcement organizations. The alignment will clarify expectations for agencies and technology providers.

Seemingly small changes go a long way

These improvements are not intended to supplant needed funding for FedRAMP. Congress should fully fund the president’s FedRAMP budget request to allow the program to keep up with evolving technology and government purchasing needs.

These seemingly small changes can make an enormous difference to the government and its cloud providers. While few will be aware of the inner workings of the changes, once they take hold, law enforcement agencies and citizens alike will benefit from cloud providers offering more secure capabilities to protect sensitive data.


Julie M. Anderson is a principal at AG Strategy Group. She previously served as acting assistant secretary and deputy assistant secretary of policy and planning at the Department of Veterans Affairs under President Barack Obama.

Latest Podcasts