Senators see room in FedRAMP bill to address supply chain security threats

The top Republican on the Senate Homeland Security and Governmental Affairs Committee is looking to tighten the rules for providing secure cloud services to the federal government.

The Federal Secure Cloud Improvement and Jobs Act would codify the FedRAMP cloud security authorization program into law. HSGAC Chairman Gary Peters (D-Mich.) and Sens. Maggie Hassan (D-N.H.), Josh Hawley (R-Mo. ) and Steve Daines (R-Mont.) introduced the bill in November.

The Senate legislation is similar to a bill introduced by Rep. Gerry Connolly (D-Va.) the House passed in January and included in its version of the fiscal 2022 National Defense Authorization Act.

In a statement, Connolly told Federal News Network that the legislation “brings us one step closer to reforming, streamlining, and codifying this critical cybersecurity regime for federal cloud technologies.”

But Ranking Member Rob Portman (R-Ohio) said he’s looking to tweak the bill and change how third-party assessment organizations (3PAOs) — organizations certified to ensure products from cloud service providers meet FedRAMP standards — operate under the program.

“Surprisingly, cloud service providers are the ones who choose which 3PAO assessor will conduct a security assessment of their cloud system and pays for it. So to me, that creates a potential conflict of interest,” Portman said at Tuesday’s committee roundtable hearing.

Portman and other senators on the committee see the FedRAMP bill as an opportunity to raise the bar on federal cybersecurity in the wake of the SolarWinds breach. However, the team overseeing FedRAMP is urging lawmakers against supporting legislation that would restrict their flexibility in responding to emerging threats.

Steve Kovac, the chief compliance officer and head of global government affairs at Zscaler, said cloud service providers selecting which 3PAO vets their products isn’t any different from companies choosing from a variety of third-party firms to conduct their annual financial audits.

“The FedRAMP policy is in line with almost every other audit that we do across our corporate world. I think that you have to believe that your 3PAO is going to be ethical and do their job. And if they don’t, with me as a [cloud service provider], we’d throw them out — and I’ve done it, for sure,” Kovac said.

Peters said the bill would provide “quicker, more secure commercial cloud capabilities in government, which will improve cybersecurity and empower agencies to deliver modern digital services to citizens.”

Portman said he’s in favor of codifying the FedRAMP program into law, and said reuse of authorized cloud systems under the FedRAMP program has helped agencies avoid spending an additional $716 million in IT costs.

However, he said the program doesn’t do enough to guard against state-supported hackers targeting cloud systems.

“Right now, we do not have sufficient safeguards in place to identify and prevent foreign interference in our cloud systems, and I believe that must change before we codify this program,” Portman said.

While FedRAMP has improved over the past 10 years, Portman said the program still suffers from high costs, long timelines and inconsistent review processes across agencies. As a result, he said agencies have fewer cloud service offerings to choose from compared to their private-sector counterparts.

Ashley Mahan, the acting assistant commissioner of the General Services Administration’s Technology Transformation Services, said FedRAMP in the past three years has more than doubled the number of cloud service authorizations, from 100 to 240.

Mahan said GSA is looking at ways to automate and modernize the FedRAMP processes, “given the continued demand for secure cloud technology and the need to work remotely.”

Eric Mill, a senior adviser to Federal Chief Information Officer Clare Martorana, said the Biden administration sees the FedRAMP program as the foundation to “meaningfully raise the bar for federal cybersecurity in the modern era.”

“We are relying on FedRAMP to help implement the president’s executive order on cybersecurity, to support agencies as they migrate to a zero trust architecture, and generally to accelerate the adoption of modern cloud tools that improve agency efficiency and ultimately, the public’s experience with their government,” Mill said.

Ross Nodurft, executive director of the Alliance for Digital Innovation, said the legislation would address many of the recommendations to strengthen the FedRAMP program proposed by the Government Accountability Office and the GSA inspector general.

GAO in 2019 found that nearly half of the 24 agencies it surveyed said FedRAMP had improved their data security. Most agencies, however, sought automated, continuous monitoring to ensure they were getting real-time security information about the services they use.

The GSA IG, meanwhile, wrote in a report the same year that the FedRAMP Program Management Office’s “goals and objectives are not sufficient to assess if it is effectively accomplishing its mission.”

Jeff Stern, the CEO of Chain Security, urged senators to consider strengthening the supply chain transparency of cloud services going through the FedRAMP process.

“The code could all be developed in China, yet there’s no disclosure requirements here… at the very least, a buyer or user at DoD, or at DHS, or wherever, should be able to know how much of the code was written overseas and how what percentage was written overseas,” Stern said.

Mahan said Stern provided some of these recommendations to the FedRAMP team last year. The program, she added, has geolocation restrictions for some of the federal government’s more sensitive unclassified information, and is working with NIST on future supply chain security control updates.

Mahan said the FedRAMP team built the framework for 3PAOs based on leading industry standards, and said the team continues to monitor 3PAO performance.

“They are charged with validating that the security implementations from cloud service providers are true and accurate, which gives agencies in turn, the ability to make those risk-based decisions in terms of using those cloud systems, so we are absolutely on board to continue evolving this program,” she said.

Kovac said the FedRAMP program has made drastic improvements over the past decade. The program, he said, evolved from being an “onerous” process that took up to four years to authorize a cloud service product, to one that can approve cloud services with the highest impact in just over two months.

“They’ve learned what to look for, what are the things that can trip up an agency, what are the things that can trip up a [cloud service provider]?” Kovac said.

Anthony Fisic, executive director for Global Security Services, a FedRAMP-authorized provider that supports the Library of Congress and libraries at military bases with low-impact cloud services, warned senators not to raise the bar for FedRAMP authorization so high that small companies can’t compete.

“It really hurts us. It’s what we want to do, but just that administrative overhead is massive. We’re not Zscaler, we’re not all these companies. We’ve got a 10 person security team working 15 hours a day trying to do the right thing,” Fisic said.

Nodurft said lowering the barrier to entry and increasing the number of authorizations available under FedRAMP “is going to be a big marker of success” for the program.

Mahan said the legislation would help increase reuse and reciprocity of FedRAMP authorizations, increase agency participation in the program and would allow FedRAMP to usher more cloud products through the authorization process.

David Shive, GSA’s chief information officer, one of three CIOs on the Joint Access Board, said the FedRAMP team over the past 10 years has constantly shifted to stay on top of the latest compliance and risk management issues that come with emerging technology.

Shive urged senators to ensure that flexibility remains in place as part of efforts to codify the FedRAMP program.

“What I would say is, as you’re crafting and thinking about legislation, that you create time and space for the program to be able to continue to iterate over time, be less prescriptive, be more allowing of knowing that we can’t fully assess what the cybersecurity threat in the future is going to look like, and that the team needs to have that agility built in,” Shive said.

Mill said the FedRAMP legislation would provide more “certainty and stability” to the program, and would support federal adoption of cloud services from large and small companies.

“The federal government does not have to always be a late adopter, and sometimes it is riskier to be a late adopter,” Mill said.

Related Stories

Comments