Portman Highlights Need for FedRAMP Reforms to Address Security Issues, Inefficiencies, and Burdens Before Codifying Federal Government Cloud Authorization Process

WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Homeland Security and Governmental Affairs Committee, delivered opening remarks at a Homeland Security and Governmental Affairs Committee roundtable titled “FedRAMP Reform: Recommendations to Reduce Burden, Enhance Security, and Address Inefficiencies in the Government Cloud Authorization Process” and highlighted the need to address the current security issues, inefficiencies, and burdens in the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It currently faces several weaknesses that leave the cloud based program vulnerable to foreign-based hackers from countries like China and Russia. Portman outlined the importance of addressing those weaknesses and establishing safeguards to identify and prevent foreign interference before introducing legislation that will codify the current program. 

A transcript of his opening statement can be found below and a video can be found here

“Great, thank you Mr. Chairman. I appreciate you for being willing to hold this hearing today and I appreciate the witnesses for being here because we have some real expertise before us, which is important in this area, because it’s complicated. As you know, Mr. Chairman, I am not on the bill because I think we need to make some changes to it to make it fit better. What I see as the potential problems in the codifying of the current practice and you know, this is very important because this is the conduit for kind of the standard approach to assessing the security issues regarding cloud services and it’s incredibly important that we get this right, so I thank you for giving us a chance to review today. And to Mr. Fisic, particularly, thank you for joining us all the way from Dublin, Ohio from OCLC, my home state. And we appreciate, again, all of you being here and providing your insights. 

“The FedRAMP’s ‘do once, use many times’ framework has a lot of benefits. So once you get that security clearance in effect, the reuse of authorized cloud systems has helped the government avoid an estimated $716 million in costs. So that’s a good thing. 

“The current program, however, has weaknesses in it, which I hope we will talk about today in some detail. And those weaknesses, I believe, have left it vulnerable to foreign-backed hackers targeting cloud systems. That would include China, include Russia. Right now, we do not have sufficient safeguards in place to identify and prevent foreign interference in our cloud systems and I believe that must change before we codify this program. I know a lot of people share that concern. 

“This is especially important in light of FedRAMP’s emphasis on reuse and the program’s influence that goes, really, well beyond the federal government.  States, as an example, and local government often procure FedRAMP authorized products because the FedRAMP label is on it. It’s the ‘Good Housekeeping’ seal is on it, implying that these products and services are secure. 

“Further, FedRAMP relies heavily on the security assessments performed by private sector third-party assessment organizations. Surprisingly, cloud service providers are the ones who choose which 3PAO assessor will conduct the security assessment of their cloud system — and pays for it. So to me, that creates a potential conflict of interest. We should talk about that openly today and we’ve got some ideas. I know we’ve talked to the majority about this as to how we could address that issue. 

“Finally, despite best efforts to improve the program, FedRAMP still suffers from high costs, long timelines, and inconsistent review processes across the agencies. As a result, federal agencies have fewer cloud service offerings to choose from compared to their private sector counterparts, hindering agencies from procuring the best service for their needs.  As of today, as an example, there are roughly 240 FedRAMP authorized providers, compared to the thousands available in the private market.  

“So, I look forward to a productive conversation today on how to address some of these inefficiencies and some of the burdens in the FedRAMP system, and how to improve the security posture of the government’s cloud based systems. Thank you, Mr. Chairman.”