On Tuesday, US federal officials met with lawmakers on the Senate Homeland Security and Governmental Affairs Committee to discuss deficiencies within the General Services Administration’s Federal Risk and Authorization Management Program, or FedRAMP, ahead of an upcoming vote to codify the program agencies use to adopt cloud services.
Committee Chairman Sen. Gary Peters (D-Mich.), a co-sponsor of a bipartisan bill called the Federal Secure Cloud Improvement and Jobs Act of 2021, convened the meeting to hear from officials and vendors for possible tweaks to the legislation.
The bill, similar to bipartisan legislation that passed in the House of Representatives, would codify the FedRAMP program and establish the Federal Secure Cloud Advisory Committee to measure the program’s effectiveness, particularly when it comes to reusing FedRAMP authorizations. The measure also authorizes $20 million for FedRAMP operations annually.
Recent reports have warned that the program is “no longer optimized for modern security solutions” and ill-equipped to work well in environments with IoT devices and other emerging technologies while calling on the government to redefine federal IT risk management.
Sen. Rob Portman (R-Ohio), the ranking member on the committee, expressed concerns about potential conflicts of interest around the commercial third-party assessment organizations (3PAOs) that report on whether cloud providers are meeting security standards to FedRAMP officials -- a critical step in the government’s approach to making risk-based decisions to authorizing certain cloud services. Portman said that he felt a security determination was categorically different from other third-party audits.
David Shive, the GSA’s CIO and a FedRAMP board member, urged lawmakers to include language which allows the program to grow amid increased cyber threats and unforeseen circumstances.
While Shive said FedRAMP has “done a good job” evolving with the cybersecurity threat, he noted how the needs of cloud service providers and their customers have changed over time and said there must be “agility built into any legislation” to address those concerns.
Source:
Comments