FedRAMP bill before Congress

I just saw this bit of news from yesterday that looks like it will help a number of our companies. I don’t know if others beyond the cybersecurity companies (S, CRWD, ZS) that we follow are working on FedRAMP authorization, but the bill aims to speed up the process of authorizing cloud companies working with US government data.

Here’s the link: https://www.fedscoop.com/fedramp-reform-legislation-appended-to-ndaa/.

Apparently there has been a 6+ year effort led by Rep. Gerry Connolly, D-Va to make authorization easier, to no avail. So finally Congress bundled it with the National Defense Authorization Act, which they hope to pass by year’s end. The new legislation would simplify many of the cybersecurity hurdles that cloud companies need to get in order to obtain FedRAMP authorization.

From the article:

One of the most consequential aspects of the FedRAMP reform bill is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used in an agency without additional oversight or verification.

FedRAMP is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data.

The House is first expected to vote and pass the NDAA this week, followed by the Senate next week, before heading to President Joe Biden’s desk for final approval.

While it’s about cybersecurity hurdles, it sounds to me like this is about more than cybersecurity companies, making it easier for any cloud company to satisfy security concerns in dealing with government data.

Does this affect other companies we follow also? Or could it? DDOG and SNOW maybe?



Hello Jabbok,
In a past life, I was the FedRamp implementation project manager for a quasi-governmental body that got certified. I am not sure you conclusion and the article snippet correlate.

There would be a HUGE concern if this was true,

“The new legislation would simplify many of the cybersecurity hurdles that cloud companies need to get in order to obtain FedRAMP authorization.”

The bit of article you posted suggests that FedRamp tools that have been authorized. This would mean to me that the people who are providing the tools, still have to go through all the rigor to meet the guidelines.

From my experience this would eliminate a lot of the back and forth between the provider and the customer. It eliminates the need on the customer side (ie - my previous job) to build up an expertise that they really do not need.

So the cloud companies will still follow a very rigorous process, but the customers of those companies can now presume the tools will meet their needs.


This is really helpful clarification, thank you!

Probably because it was a very specialized news outlet, it didn’t take time to explain exactly what was being simplified—at least in a way that the uninitiated could understand.

The way it is currently, does a company authorized for one government agency then have to jump through the same hoops for other agencies? Or does one authorization do it across the federal government?

Does this example get at it? An agency wants to use Datadog. Datadog protects their platform with Crowdstrike. In the current system, Datadog would have to jump through all the hoops that Crowdstrike did to get authorized. With this new bill, Datadog gets waved through because they have already vetted CRWD. Is that it?

Thanks for you help!


That’s sounds like it would be the case.

If Datadog has three certified tools built into its product, then they should be able to claim FedRamp on those tools. Any other parts of product they create would have to get certified separately.


So is it fair to say that this bill would move them from authorizing companies per se (tons of those) to authorizing tools (far fewer of those)? And that, in turn, would be a huge benefit to the companies who produce those tools if they have obtained FedRAMP authorization. Any company wanting a government contract would be seeking out the tools that were already authorized. Yes?