[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3408 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 3408

    To amend chapter 36 of title 44, United States Code, to require 
   reporting regarding the security of cloud computing products and 
                               services.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           December 15, 2021

  Mr. Ossoff introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
    To amend chapter 36 of title 44, United States Code, to require 
   reporting regarding the security of cloud computing products and 
                               services.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Cloud Risk Management 
Improvements Act''.

SEC. 2. REPORTING REGARDING SECURITY OF CLOUD COMPUTING PRODUCTS AND 
              SERVICES.

    (a) In General.--Chapter 36 of title 44, United States Code, is 
amended by adding at the end the following:
``Sec. 3607. Reporting regarding security of cloud computing products 
              and services
    ``(a) Definitions.--In this section:
            ``(1) Agency.--The term `agency' has the meaning given the 
        term in section 3502.
            ``(2) Cloud computing.--The term `cloud computing' has the 
        meaning given the term in Special Publication 800-145 of the 
        National Institute of Standards and Technology, or any 
        successor document.
            ``(3) Cloud service provider.--The term `cloud service 
        provider' means an entity offering cloud computing products or 
        services to agencies.
    ``(b) Reporting.--Not later than 1 year after the date of enactment 
of this section, and annually thereafter, the Administrator of General 
Services shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Oversight and 
Reform of the House of Representatives a report that includes a review 
of measures taken under the Federal Risk and Authorization Management 
Program, or any successor thereto, to ensure the security of data 
stored or processed by cloud service providers, which may include--
            ``(1) geolocation restrictions for provided products or 
        services;
            ``(2) disclosures of foreign elements of supply chains of 
        acquired products or services;
            ``(3) regular disclosures of ownership of cloud service 
        providers by foreign entities; and
            ``(4) encryption requirements for data processed, stored, 
        or transmitted by cloud service providers.''.
    (b) Conforming Amendment.--The table of sections for chapter 36 of 
title 44, United States Code, is amended by adding at the end the 
following:

``3607. Reporting regarding security of cloud computing products and 
                            services.''.
                                 <all>