The Senate Homeland Security and Governmental Affairs Committee held a roundtable discussion on Nov. 30 with Federal officials and industry experts about proposed reforms to the General Service Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP).
Sen. Gary Peters, D-Mich., chairman of the committee, held the roundtable to hear recommendations and suggestions for his proposed legislation, The Federal Secure Cloud Improvement and Jobs Act. The bill would codify FedRAMP and ensure that Federal agencies can quickly and securely adopt cloud technologies.
Ranking Member Rob Portman, R-Ohio, highlighted the need to address current security issues and inefficiencies in FedRAMP before codifying the current program.
Current weaknesses, according to Sen. Portman, leave FedRAMP “vulnerable to foreign-backed hackers targeting cloud systems.”
“Right now, we do not have sufficient safeguards in place to identify and prevent foreign interference in our cloud systems and I believe that must change before we codify this program,” Sen. Portman said.
Sen. Portman also noted his concern over the third party assessment organizations (3PAOs) and potential conflicts of interest if cloud service providers choose, and pay for, their 3PAO security assessor.
Steve Kovac, chief compliance officer and head of global government affairs at Zscaler and one of the industry witnesses at the hearing, said, “I think that the FedRAMP policy is in line with almost every other audit that we do across the corporate world and I think that you have to believe that your 3PAO is going to be ethical and do their job.”
“I think that trying to find a way to regulate it… is going to slow the process tremendously,” Kovac added. “It’s the way we do all of our independent audits and I would be troubled to get away from that.”
Jeff Stern, CEO at Chain Security, agreed that 3PAOs are “absolutely necessary” to have a scalable and timely program, but proposed that 3PAOs could be “hired and assigned by GSA” as a possible solution to Sen. Portman’s concern around conflicts of interest.
As far as the legislation goes, David Shive, the chief information officer at GSA, emphasized that “there’s a certain advantage in being less prescriptive in legislation.”
“The risk changes. You look at the risk associated with cybersecurity, it’s changed and morphed over time. And the program has changed and morphed right along with it,” Shive said. “We suspect that under the supply chain risk that same less prescriptive model would be most effective because we cannot anticipate what that threat is going to look like in the future. And we run the risk of tying our hands if we’re too prescriptive.”
Kovac said he believes key requirements around security are already present in Sen. Peters’ bill, but he would support “tightening language in the bill in any way we can.” Kovac said “the good news is the benchmarks are there today,” and that he supports the bill at hand.
“Zscaler supports the Federal Secure Cloud Improvement and Jobs Act (S. 3099) and appreciates the efforts of this committee and others in Congress to move the legislation forward,” Kovac said.
“The bill is critical for the program itself, in that it will drive continuous improvement of the program while helping ensure that Federal agencies have access to the cybersecurity tools needed to protect them from today’s ever-evolving cyber threats,” Kovac added.