At Hearing, Experts Agree With Portman on Need for FedRAMP Reforms & Benefits of Buy America Laws

WASHINGTON, DC – This morning during a Senate Homeland Security and Governmental Affairs Committee hearing on procurement innovation, Grant Schneider, Senior Director of Cybersecurity Services at Venable LLP, agreed with U.S. Senator Rob Portman (R-OH), Ranking Member of HSGAC, on the need to address security challenges facing the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP, the program the federal government uses to assess the security of cloud-based services for government use, currently does not adequately address risks posed by foreign-based hackers from countries like China and Russia. Mr. Schneider agreed with Portman on the importance of addressing those weaknesses and establishing safeguards to identify and prevent foreign interference through reforms to the legislation under consideration that will codify the current program.

In addition, Soraya Correa, President and Chief Executive Officer of Soraya Correa & Associates, LLC, agreed with Portman on the benefits of having Buy America laws in place. Last year, Portman’s bipartisan Act and Build America, Buy America Act were signed into law as part of the historic bipartisan Infrastructure Investment & Jobs Act. These bills ensure Buy America rules are applied to all taxpayer-funded infrastructure and public works projects and establish a centralized online hub to increase transparency for American manufacturers and ensure federal agencies prioritize the purchase of American-made goods in compliance with existing law.

Finally, Portman also discussed with the witnesses ways the federal government could help agencies enhance the procurement processes in an effort to combat hiring challenges facing the federal workforce.

A transcript of the exchange can be found below and videos can be found here and here.

Portman: “Thank goodness, because you never know once Carper gets that gavel what he might do with it. I’ve seen you in action. So thank you all again for your work on the procurement front. Not always, as Ms. Correa kind of suggested, the best image. People think procurement, and sometimes their eyes kind of glaze over. I taught a course in procurement when I left the Office of Management and Budget, and many of my students’ eyes sort of glazed over. But by the end of the course, I think they understood that it really is essential both for the proper use of our taxpayer dollars and also you can do amazing things for these small businesses, in particular, giving an opportunity to work with government. And obviously we want the best for the services that we provide. 

“One of the programs that I have concerns about is called FedRAMP. It’s basically kind of a preclearance program for cloud services. And Mr. Schneider, you know a lot about this. I think it has weaknesses that make it vulnerable to foreign-based threats targeting our cloud systems. That would include China and Russia, by the way, in terms of some of these threats. The Senate unanimously passed our bill called Strengthening American Cybersecurity Act, which would address some of these issues. Mr. Schneider, have you looked at that legislation, and do you think it would be helpful?” 

Grant Schneider, Senior Director of Cybersecurity Services at Venable LLP: “So I’m not intimately familiar with the legislation. However, I certainly agree with you that the FedRAMP program has some very good intentions. It certainly has some room for improvement there. And I think that we have to consider supply chain risk management in all our acquisitions, whether it’s for cloud services or any other services that we’re getting and really come up with consistent ways that we can evaluate a vendor, again for quality of product and trustworthiness of the vendor themselves and potentially any legal oversight that their host country could put upon them.” 

Portman: I think it’s really important that we have these reforms to protect these cloud based systems, and my hope is the House will take it up and be properly implemented. What do GSA and FedRAMP programs need to do to attract small and innovative technology companies to become FedRAMP certified and to provide services to the federal government?” 

Mr. Schneider: I think the struggle with small businesses and working to help some small businesses go through that process, it’s a very intensive and expensive process to get through that has a lot of compliance. And so I think, A) the program office at GSA needs to be bigger and needs to be a better resourced to be able to work with more companies. I think they need to seek ways to reduce the burden and reduce the amount of paperwork associated. I think it also goes to being able to evaluate companies for their security outcomes, as opposed to just for their security paperwork and the processes. They certainly need to have processes in place, but we need more flexibility on how you can meet the security outcomes for all businesses, small and large.” 

Portman: Well, that’s one of our goals here. And my hope is that this legislation can pass to help protect the cloud-based services, but also we can expand the number of companies that are innovative technology companies that will provide that service. On the Buy America laws, we talked about it in my opening statement quite a bit, but bottom line is we’re spending more and more money on goods being manufactured around the country. But also, $34 billion was spent on goods manufactured by foreign firms in the last five years. Department of Defense, largest purchaser of manufacturer goods in the world, has spent over $200 billion on foreign products since 2007. And, of course, we’ve lost manufacturing jobs during that time period. So Ms. Correa, talk about that a little bit, if you would. And maybe one thing that would be interesting, I think, for people to hear is what steps does a contracting officer go through in determining whether or not to apply for a waiver of our Buy America laws?” 

Soraya Correa, President & Chief Executive Officer of Soraya Correa & Associates, LLC: “Sure, certainly, thank you. Thank you for the question. So the Buy American Act is a little bit challenging because you have to look at it in conjunction with other legislation, such as the Trade Agreements Act and a couple of other legislations. Generally speaking, what a contracting officer has to do is, first of all, they’ve got to make sure they’re incorporating the right clauses in the contract, but they also have to look at the product and determine if that product is available by American manufacturers. That’s done in a number of ways. They can publish it out in the Federal BizOps, the publication that tells contractors that were interested in certain products or services. Typically, what agencies do on an annual basis is identify all those products that they buy from foreign manufacturers and publish them so that companies out there can tell us if they can make those products or if they’re interested in selling those products to the government. What I’ve seen is that typically when certain agencies are buying things like aircraft parts, parts of ships, it depends what engine they bought. And if that engine was bought by a foreign manufacturer, then you’re probably going to have to buy the parts from that manufacturer. That’s what I’ve typically seen. 

“At DHS, one of the things that I did to improve compliance with Buy American Act, and I did this probably about six years ago when I was well into the job, was I raised the threshold for review. Instead of leaving it at the head of contracting level, it came to my level to review any waivers for Buy American Act, and that seemed to cut down the number of the waivers. But it also made us more conscious of what people were buying and how they were buying. But generally speaking, the process is they do have to look to see if there are American manufacturers out there, they do have to announce that they intend to buy this product from company XYZ, whoever they may be, so that companies can come in and tell us if they manufacture the product. I do want to add that I think some of the recent efforts that OMB has undertaken to take a closer look at Buy American compliance, I think those processes will work. I think compliance varies by agencies based on what they buy and how they buy.” 

Portman: Yeah. As I said earlier, 2021 was sort of Buy America year. We had historic reforms to Buy America Act and expanding it. And again, I’m pleased that the executive order has been issued with regard to, the website, which is kind of a clearinghouse, as you say, that’s needed to let people know both on the private side what the opportunities are, but also to let government contractors know, contracting officers, procurement officers, that there’s a business out there that can provide this. Sometimes that’s lost. Do you think that the transparency and the clearinghouse element of can be successful in expanding the use of US manufacturers?” 

Ms. Correa: “Yes, I do believe that it can be successful. But I also think we have to do something a little bit more practical, and that is we need to get out there and talk to industry. We need to go out and understand why industry perhaps is not interested in selling certain products or manufacturing certain products in support of government needs. A lot of times it has to do with the lack of guarantees in the contracts. I think Elizabeth mentioned that in her testimony that sometimes these contracts, the way they’re written, the company doesn’t know when they’re going to recover their costs, if they’re going to recover their costs. And there are upfront investments the companies have to make if they’re going to go into the manufacturing of certain products. So I think that’s extremely important. And this all ties back to something that Grant said, and that is we got to build cohesive teams that plan the procurement properly. Think about all these factors, whether it’s cybersecurity, FedRAMP certification, Buy American. When you build that team upfront and you put it on the front end of the equation, you’re going to write a much better solicitation, you’re going to engage in a much better procurement process, and you’re probably going to be bringing industry in a lot earlier to talk about what you’re thinking about doing so they can get some input. So I’m a huge advocate of the coordinated teams, but got to get them up front.” 

Portman: “And expediting the process so that it moves more quickly because we’re moving at faster and faster speeds in our economy, and particularly with inflation. We’ve got a real challenge right now to ensure we’re spending that taxpayer dollar most efficiently. Senator Carper, when I taught this procurement class, it was at the Ohio State University, at the Glenn School. Now Glenn College. Your Alma Mater named after the former chairman of this Committee. Mr. Chairman.” 


Portman: “With regard to workforce, we talked earlier about the challenge that you’re facing. And let’s face it, pretty much every sector of our economy is facing it right now, the private sector and public sector. And with unemployment at under three percent and competition for talented workers being more intense than ever, I’m concerned that the federal government is going to have even a harder time hiring individuals with private sector experience to help the acquisition system work better because I think it’s very helpful to have the private sector coming in and helping our government to be able to recruit people who understand the needs on both sides of the table, the private sector companies we want to engage more in procurement and the government side. So my question to you would be this, what can we do to make sure that we are competitive and what can we do better? Ms. Correa, why don’t you start off since you’ve been looking at this question over many years and you’ve seen times when it’s easier and times when it’s harder.”

Ms. Correa: “So that’s a great question. And I want to mention first, the hiring process is painful, and I think you’ve heard that before from other sides of the house, from the HR folks in government. We’ve got to modernize our hiring process. It takes too long to hire people. I literally had to authorize overhires, meaning telling my folks, hire an excess of the budget, meaning go out and recruit people because we know we’re going to lose people, that way we have people sitting on the bench ready to come in. I shouldn’t have to do that. I should be able to run a process where I can go and pick up people. I need a talented individual. I should be able to go up and say, hey, Elizabeth, come join my team. Here’s what you apply for. Let’s look at this resume and let’s get her on board. We don’t move that fast, even with direct hire authority. You’ll hear about direct hire authority, you have to go through a lot of rules and reports and statistics just to justify using that authority that’s been given to us. I think therein lies the problem. We got to have a better process. But then again, I revert back to what I said earlier. We’ve got to put the right leaders in place that know how to do this, that know how to motivate a workforce. When I came to the headquarters, Homeland Security, to run one of the first offices that I ran, which was the Office of Procurement Operations, we had 60 people on board. I was authorized 250 people, and I needed to hire quickly. I got 250 people on board in less than two years. But that’s because I marshalled the troops and we went out there and recruited. But it’s hard to do with the current processes that are in place.”

Portman: I think that’s a great point we hear in this Committee, despite some of the improvements we tried to make, like direct hiring, and by the way, some of it’s agency by agency, I think it should be government wide. We hear people telling the story about having found somebody talented, and the person, after two or three weeks of waiting, gets an offer from the private sector, the private sector says we’ll hire you tomorrow with benefits ready to go. And they say, I’d love to join the government and done some public service here, but I can’t wait four or five, six months. I’ve got to move. So I think that’s a disadvantage that we have. Senator Peters is now back, I want to let him ask questions, but anybody, Ms. Sullivan or Mr. Schneider, any responses to the hiring dilemma?”

Mr. Schneider: “Yeah. One thing I’d like to add and really highlight something Soraya mentioned earlier. I think we also need more flexibility to have people move in and out of government in these roles, and it is difficult for people, and we need good, strong ethics rules. But sometimes they are a barrier for many government jobs, but especially for contracting officers who get excluded from being able to work at lots of companies or if they work at a company, are excluded from working back in the government. And I think we will be able to retain more people if we can allow them more flexibility to move back and forth between industry and government and gain a whole bunch of expertise at the same time.”

Elizabeth Sullivan, President of Madison Services Group, Inc.: “I would just add that if I can, that small businesses, offices at agencies are under resourced, and there are incredible tools to be able to get new small businesses into the government, keep small businesses providing innovative products. So making sure that there are enough resources for those offices is incredibly important.”

Ms. Correa: “May I add something to that? Because Elizabeth raises a very important point. At DHS, I think we were successful because we partnered with our Office of Small and Disadvantaged Business Utilization, and I carved out positions from my staff to put into that office so that we could work in partnership to evolve our program. And I think our program was successful because we had it properly resourced. And I probably had one of the larger Office of Small and Disadvantaged Business Utilization in government, including that it was staffed by a senior executive official. So I think that’s a really important and valid point. Agencies need to focus a little bit more on their small business programs and how to bring in small businesses, and that starts with the right people talking to the small businesses.”

Portman: “Great. My final question is about federal acquisition regulations. They’re often added, they are rarely taken away. Mr. Schneider mentioned that a second ago with regard to one. But new regulations are necessary, but obsolete rules and regulations seems to me have to be removed. So, Ms. Sullivan, one of the strengths of our acquisition system is the presumption of competition to get the best value so people have to compete with one another and that’s a good thing. Based on your experience with small to mid-sized companies, what federal rules or regulations make it difficult for these smaller companies to comply or compete when doing business with the federal government and what rules and regulations should be removed?”

Ms. Sullivan: “I think that clarity is always what small businesses are seeking in any rule or regulation. And one of the issues that has been kind of plaguing the community for a long time that I had mentioned in my opening remarks is the time period from when the FAR Council issues a rule and the SBA issues a final rule so it can span many years. And the acquisition community often doesn’t take SBA’s final rules as what they should be, which is that they should be followed until it’s in the FAR. So it creates a ton of confusion and then even more regulations or more rules that have to show up after the fact because the rulemaking isn’t simultaneous. Also, I think the SBA Office of Advocacy did a nationwide tour a couple of years ago. I think if I’m remembering the time table correctly and asked small businesses what regulations, including contractors, we’re really hindering them. So I’d encourage taking a look at that and what they found because I know that they found specific ones that were problematic for small and honestly midsize companies as well.”

Portman: “Great. We’ll look for that. Our capable staff is already behind us trying to find that online I’m sure. Thank you, Mr. Chairman, thank you to the witnesses. Thanks for your service.”