At HSGAC Roundtable, Experts Agree With Portman on Need for FedRAMP Reforms

WASHINGTON, DC – At a Homeland Security and Governmental Affairs Committee roundtable titled “FedRAMP Reform: Recommendations to Reduce Burden, Enhance Security, and Address Inefficiencies in the Government Cloud Authorization Process,” experts agreed with U.S. Senator Rob Portman (R-OH), Ranking Member of the Homeland Security and Governmental Affairs Committee, on the need to address the current security issues, inefficiencies, and burdens in the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP currently faces several weaknesses that leave the cloud based program vulnerable to foreign-based hackers from countries like China and Russia. The experts at the roundtable agreed with Portman on the importance of addressing those weaknesses and establishing safeguards to identify and prevent foreign interference through reforms to the legislation under consideration that will codify the current program. Portman also addressed the potential conflict of interest by companies hiring and paying Third Party Assessment Organizations (3PAOs) to assess their cloud systems against FedRAMP compliance regulations. 

A transcript of his questioning can be found below and videos can be found here and here.

Portman: “I’ve got a lot of questions as you know, I’m for codifying and for standardization, I’m for more certainty and predictability going forward. I think it’s a good idea. FedRAMP, in practice, I think is a good idea and it’s essential. And yet the security issue just bothers me. I want to be sure we fully vet this. Foreign interference, in particular, is a deep concern of mine, and I think it is of others as well. 

“Second, I want to talk about potential conflicts of interest with the assessment process. I don’t know why we have the companies that are getting assessed, choose their assessor, and then pay for the assessor. It seems to me that creates at least an appearance of a conflict. 

“And then third is just the cost and timing issue. And you addressed that, maybe things are getting better, but we need to allow the service providers to be able to have a sense of how much time this is going to take, like a regulatory process, how much it’s going to cost to make sure we’re getting the very best cloud services. And that’s the whole idea here right? That the federal government has the gold standard. 

“On the first issue, which is the foreign interference, this Committee has been very active on this issue. Safeguarding American Innovation Act came out of this Committee. Senator Hawley has been really taking the lead in this Congress to protect the government from data from China through legislation that would ban TikTok, as an example, on government devices. Other senators have similarly been very involved on both sides of the aisle. So I know we care about it a lot, and this Committee tends to be a place where a lot of that happens. My concern is that the source of some of these code that we are relying on with our government may well be from foreign entities and specifically engineers in China. And I just want to make sure I understand why we would want to permit that. And then the second issue that I’ve identified is that we don’t have to keep up with the disclosures. So you make an initial disclosure saying I’m owned by this company from the UK, this company from the United States or whatever. But then, as an example, not to just focus on China. But if China becomes an owner, there’s no requirement to update that disclosure, as I understand it. And to me, that seems like an obvious problem that ought to be addressed in this legislation. If we’re going to codify this thing, let’s be sure that we’re not putting ourselves in that position. So, Mr. Stern, turning to you, you’re the one that’s not here, so you’re easy to turn to. Can you talk a little about that? Your observations on supply chain risk and foreign interference as it relates to FedRAMP?”

Jeff Stern, Chief Executive Officer at Chain Security: “Sure. Thank you, Senator Portman. I’m going to talk about three things. The first is the System Security Plan, and the fact that FedRAMP authorization of the SSP does not seem to look or assess the provenance of the software and the service offering. As you mentioned, the code could all be developed in China, yet there’s no disclosure requirements here. Our recommendation around that has been that at least you may not be able to stop this because of the global supply chain, but at the very least, the buyer or user at DoD or at DHS or wherever should be able to know how much of the code was written overseas and what percentage was written overseas. And we’ve offered up some metrics as recommendations in the past about how to sort of, what I call to truth in advertising or truth in disclosure, not only in the authorization process, but also for the purchaser who is going to use the service.

“The second is that the system boundary, our observation system security boundary for authorization seems to have been defined too narrowly. We’ve seen cases where, for example, even though your customer care people are here in the United States, no one is looking at the customer care system itself and who’s maintaining it. And when engineers overseas, particularly in a country like China, can have access the entire customer care information, including the PII, the personal identifiable information of U.S. government users, their IP addresses, their email addresses, their names, phone numbers, et cetera.

“And then the third is we observed a case where one of the 3PAO organizations had already been through a CFIUS process where CFIUS and DCSA, the Defense Counterintelligence Security Agency, as a result of a foreign acquisition of the company, required establishment of a mitigated subsidiary to hold a security clearance. Yet it was not the mitigated sub who continued to be the 3PAO. It was the foreign unmitigated parent of the mitigated sub who continued as the PAO. So we believe that 3PAO, there’s a thing called an SF-328. It’s a form which declares how much foreign ownership you have. We believe every 3PAO needs to be…has to fill out a SF-328. Both a change of ownership but annually, your 328s, which are easy to fill out, should be filed by every 3PAO.”

Portman: “Great. Well, thank you. By the way, it was the PAOs that I was referring to in terms of that ownership requirement, having to update it, and it seems to me like that’s a relatively easy fix.

Mr. Stern: “It’s very easy.”

Portman: “Maybe the first one is a little bit harder. We have recommended some language that just gives the GSA the authority and the requirement really to review ‘the sufficiency of underlying standards and requirements to identify and assess the provenance of the software and cloud services and products in the FedRAMP program.’ So that would allow GSA to assist NIST in developing and improving the standards regarding foreign interference. Do others, Ms. Mahan, in particular, do you have concerns with that kind of language? Does that not go far enough, or does it go too far, what do you think about stopping this concern we have about foreign interference?”

Ashley Mahan, Acting Assistant Commissioner of Technology Transformation Services in the General Services Administration: “Thank you, Senator. I just wanted to thank Chain Security and Mr. Stern, as we met as he alluded to in 2020, where he provided some of these recommendations. And we had a good conversation discussing the recommendations he brought up today, as well as we took the due diligence and steps to research those out. There were some things that we were working on already in progress and things that we implemented based on his recommendations and research. I do think that this is an area that is continuing to evolve daily. And as from a program standpoint, we are committed to evolve with it. In terms of geolocation for the government’s most sensitive, unclassified data, we call that part of our high workloads, there are geolocation restrictions to U.S. and territories with U.S. jurisdiction. As well as we’re continuing to work with NIST and with future updates to provide additional security controls when it does come to supply chain. But again, we are absolutely committed to be working with the Committee as well as different government agencies and industry to ensure that the program continues to evolve as these threats are continuing to evolve as well.”

Portman: “Okay, I’m going to let my colleague, Mr. Hawley jump in here, but let me just say and we’ll get back into the potential conflict of interest issue I have and also the cost and timing and the compliance burdens. But with regard to this issue, from what you’re saying, it sounds like you agree with Mr. Stern generally, and you agree with a solution that gives you all not just the authority, but the requirement to do that important compliance, to make sure that we’re not seeing foreign interference.”

Ms. Mahan: “Absolutely. This is a critical area, a focus area, and we’re committed to evolve in working with our industry and agency partners on this.”

Portman: “The other issue we talked about, and thank you for all that input. We have a little difference of opinion, perhaps as to how the FedRAMP system currently works as it relates to inquiring into the origin of software or code in a cloud service offering. But that’s a factual matter. We just need to be sure we all understand. And I do think that this risk is only going to increase, as we said. And to Mr. Shive’s point, I don’t think that’s prescriptive language at all. In fact, it gives you the ability to be able to do it. I assume you would want to do anyway, but make sure that it gets done. In terms of potential conflicts of interest, it looks like we’re going to have some difference of opinion on this, too. And that’s good. That’s how we end up with legislation that actually makes sense. I just look at this, and I think all of you respect your 3PAOs – this is, for those who might be listening and aren’t following all the acronyms, that’s the third party assessment organization. And these are groups that do the assessment, but at the behest of the company that’s providing the cloud services.

“So as I understand it, they pay for the service and they choose the 3PAO. Is that correct? Now, again, I’m sure that the 3PAOs that you all work with are all respectable folks and so on. But that just seems like a potential conflict of interest to me. And isn’t there a better way to do it? So you get an assessment that doesn’t have that, to use the word cloud a little differently, that cloud in terms of what the conclusion is. And one idea I’ve had is rather than relying on private sector or third parties who are paid for by the cloud service provider is to get a panel of experts. In this case, GSA, NIST would be involved and have that panel of experts assess the security of the FedRAMP services, and the cost would not be born by taxpayers, it would be born by the user, which is the same company that was going to pay this company on the private side that they had chosen, that they’re paying to give them the answer. Instead, you would be using an entity which is independent and there would be a user fee attached to it, so there wouldn’t be an additional cost. But there would be a distance there, in other words, an assurance that this conflict of interest would not be present. So what do you all think about that? Is that a crazy idea? Is that something you’ve thought about and do you have other ideas? Let’s start with you, Ms. Mahan.”

Ms. Mahan: “Thank you. So when we first established the program many years back, the 3PAO program, we mimicked it after how industry, like traditional certification programs that industry typically goes out and seeks today. And so we developed a framework using the ISO 17 020 standards, which is an industry recognized standard. And within that standard, there’s impartiality and independence clauses. So we continue, we have a robust monitoring program on FedRAMP that whenever you receive assessments from 3PAOs, we provide feedback. There’s performance escalation criteria as well, to help support and to monitor 3PAO performance, especially when it comes to this area. As a program, and I appreciate your suggestion, Senator, we are always receptive to feedback. We’ll take it into consideration, continue to work with the community as well as our stakeholders to drive change on the program.

“I will say that the 3PAOs play absolutely critical role within this FedRAMP ecosystem. They are charged with validating that the security implementations from cloud service providers are true and accurate, which gives agencies, in turn, the ability to make those risk based decisions in terms of using those cloud systems. So we are absolutely on board to continue evolving this program. But just note that the way that we did establish it was also based on industry recognized protocols that are in place today with other certification programs.”

Portman: “Mr. Kovac, do you have thoughts on this?”

Steve Kovac, Chief Compliance Officer and Head of Global Government Affairs at Zscaler: “Senator, I would say, Zscaler is public company and we pay Price Waterhouse to come do our audits, our financials. I don’t see the difference. I don’t see the difference. I pay when I go to get our global compliance, whether it’s my GDPR for the EU or whether it’s my IRAP in Australia, or whether it’s my ISO or my SOC or my SOC2 or my SOCs or SOCs. I’m always paying an independent auditor that I hired. I think that the FedRAMP policy is in line with almost every other audit that we do across the corporate world. And I think that you have to believe that your 3PAO is going to be ethical and do their job. And if they don’t, with me as a CSP, we throw them out. And I’ve done it for sure. And I will tell you that it’s a thing that stops at just the 3PAO. It doesn’t. But once we finish our 3PAO, when we get our they said, okay, then it goes into the FedRAMP world where they now do their, and as Ashley just said, sorry, Ms. Mahan just said, they do their assessment of our 3PAOs work and then a JAB, they literally do the work all over again. So they’re heavily involved in this process. I think that trying to find a way to regulate it to a group of people is going to slow the process tremendously. And I think it’s the way, like I said earlier, it’s the way we do all our independent audits. I would be troubled to get away from that.”

Portman: “Okay. Well, I appreciate that. I make the obvious point that we’ve had some captured auditors as well. And this is about security. So it’s not about auditing your books. It’s about ensuring that we don’t have a terrible situation that could occur where you have a lack of security within the cloud services that the federal government and we taxpayers are all relying on. So it’s a different sort of assessment than what Deloitte might do for your company in terms of an audit. Any other thoughts on that? Mr. Stern, do you have any thoughts on that?”

Mr. Stern: “Yes, Senator Portman. Thanks for asking. So first of all, I think 3PAOs are absolutely necessary to have a scale of a program, which means a program where you can bring services or authorized services in a timely manner, on the one hand. On the other hand, I think one potential approach here is to have the 3PAOs directly under the supervision and assigned by GSA so that if GSA hires the 3PAO and assigns the 3PAO, and where the company pays as part of some sort of fee to have it done, but the 3PAOs are hired and assigned by GSA, that may be the solution.”

Portman: Yeah. That’s something that I think makes some sense to look at because you could have a panel of various auditors in essence. And instead of having the company choose the auditor, it would be from a group of auditors that you all being GSA have certified and, in essence, you’re certifying them anyway, right?”

Ms. Mahan: “That is correct.”

Portman: “Yeah. So you could make the decision even on an arbitrary basis, if necessary, which would cut out obviously, that issue of your choosing your own 3PAO auditor and paying that auditor. You still pay, but you will be paying a fee. So I think that’s an interesting idea as well. My final one is just on the cost and the timing and the compliance burdens, the consistency across agencies. What can be done to improve that? Mr. Fisic, I’m going to ask you to address that.”

Anthony Fisic, Executive Director for Global Security Services at OCLC: “Thanks, Senator. And for one moment, I just like to address that, I would say that having the GSA or the FedRAMP PMO select your 3PAO works against smaller organizations from a cost perspective, kind of leading to the next question here. We create efficiencies at scale where I have 15 global certifications we maintain. If I use Schellman or Coal Fire, these larger global organizations that are well respected, number one and two of FedRAMP authorizations, it really works against us as a smaller org. Sure, we’ll get some benefits of GSA at scale for the government engages them, but that’s a concern there. Then moving down the path is just the overall maintenance. We’re a FedRAMP tailored low. We don’t have a lot of PI. We’ve heard a lot of high, moderate supporting these large organizations. We support libraries, Library of Congress, libraries on military installations, as part of our core support to the federal government. And as a library service company, we don’t charge a lot of money as a not-for-profit. So some of the concerns we have is, I have two full time governance analysts running. I have a full service now, which is a governance risk and compliance system running. I have 400 developers. We have 150 applications, 26 are in FedRAMP scope, but the churn created for smaller organizations, we spend up to $10 million a year as a not-for-profit that makes $200 million a year on security and trying to do the right thing and support our customers.

“So I think that as we talk about these highs, moderates, lows, we really need to think the impacts to the smaller organizations and maybe additional lens of risk. So I understand 30, 90, 60 days to remediate any sort of vulnerability. That’s a huge impact for a smaller organization. If there was just that additional risk assessment, say, okay, these guys, they know what book you took out, right? Why are they even in the program? Sure, it helps us. It’s an easy framework. I communicate to the board. I can do all these things, and it’s just good practice and things we do anyway. But the sunk cost to do that, it really impacts our bottom line in serving the communities and some of the least represented people globally. It’s not just in the U.S., it’s the communities we serve.

“So I’d ask the Committee to look at that. Think about the additional lens, a true risk picture outside of these mandatory high level, moderates, or lows. Let’s put some reality check in there. We’re smart enough where we can just look at an organization, formalize that just an additional check or an outside agency look and say, ‘Okay, OCLC or another smaller company, you don’t really have a lot of data that the federal government is concerned about. Maybe we can lower that risk level, lower the costs, some of those reporting compliance requirements, monthly reporting, going through the churn of POA&Ms and all these other things.’ I am a fan of FedRAMP. I’ve been with the program for four years. It’s continually evolved and gotten better. And I think it’s the right thing for the government to do as somebody who worked for the DoD before, and I fully support it. But just ask for the team to look at it through that additional risk lens and be cognizant of the small guys out there because it really hurts us. It’s what we want to do. But just that administrative overhead is massive. We’re not a Zscaler. We’re not all these companies. We got a ten person security team working 15 hours a day trying to do the right thing. And I thank you for the time.”

Portman: “That’s great input. Thank you. And it’s about size, but it’s also about degree of risk. So you could be a small company, but be in a highly sensitive area, a high risk area, in terms of your data and vice versa, you could be a larger company, a for profit company that doesn’t have that kind of risk. That’s very helpful. And that goes to the compliance burdens. And again, we want to end up with the best services being provided and do it in the most cost effective way possible and then taking into account this increasing issue of foreign interference and being sure you’re doing everything to avoid the foreign hackers from getting into your system and getting into our cloud. Thank you, Mr. Chairman.”