(a) Reports to Congress.—Not later than 1 year after the date of enactment of this section, and annually thereafter, the Director shall submit to the appropriate congressional committees a report that includes the following:

(1) During the preceding year, the status, efficiency, and effectiveness of the General Services Administration under section 3609 and agencies under section 3613 and in supporting the speed, effectiveness, sharing, reuse, and security of authorizations to operate for secure cloud computing products and services.

(2) Progress towards meeting the metrics required under section 3609(d).

(3) Data on FedRAMP authorizations.

(4) The average length of time to issue FedRAMP authorizations.

(5) The number of FedRAMP authorizations submitted, issued, and denied for the preceding year.

(6) A review of progress made during the preceding year in advancing automation techniques to securely automate FedRAMP processes and to accelerate reporting under this section.

(7) The number and characteristics of authorized cloud computing products and services in use at each agency consistent with guidance provided by the Director under section 3614.

(8) A review of FedRAMP measures to ensure the security of data stored or processed by cloud service providers, which may include—

(A) geolocation restrictions for provided products or services;

(B) disclosures of foreign elements of supply chains of acquired products or services;

(C) continued disclosures of ownership of cloud service providers by foreign entities; and

(D) encryption for data processed, stored, or transmitted by cloud service providers.

(b) GAO Report.—Not later than 180 days after the date of enactment of this section, the Comptroller General of the United States shall report to the appropriate congressional committees an assessment of the following:

(1) The costs incurred by agencies and cloud service providers relating to the issuance of FedRAMP authorizations.

(2) The extent to which agencies have processes in place to continuously monitor the implementation of cloud computing products and services operating as Federal information systems.

(3) How often and for which categories of products and services agencies use FedRAMP authorizations.

(4) The unique costs and potential burdens incurred by cloud computing companies that are small business concerns (as defined in section 3(a) of the Small Business Act (15 U.S.C. 632(a)) as a part of the FedRAMP authorization process.