Federal Secure Cloud Advisory Committee March 28, 2024 agenda and minutes

March 28 from 10 p.m.- 2:30 p.m. Eastern time

In-person location: 1800 F St NW, Room 1461, Washington D.C. 20004

Call to Order: Welcome and Roll Call

Michelle White, Designated Federal Officer (DFO)

Michelle introduced the purpose of the meeting and background information on FSCAC’s creation and scope, and then went through roll call. A quorum was established. Michelle then reviewed the purpose, outcome and agenda for the day. She announced that the members had successfully submitted their final recommendations to the GSA Administrator, and the Chair had briefed the Administrator on the details. The recommendations were further sent from the Administrator to the FedRAMP PMO for their review. Lastly, she reminded the members of the speaking etiquette for this meeting.

Chair Remarks

Ann Lewis, FSCAC Chair

Ann Lewis, FSCAC Chair, level set and provided more background and context for the meeting today, as well as restated the overall purpose, outcome and process for this meeting. She also congratulated the members on submitting their first set of recommendations to the GSA Administrator, who had been briefed on the specific recommendations by the Chair.

Public Comment

Members of the Public

There was one public comment from Josh Blaher representing RedHat who offered guidance on what RedHat believes the FSCAC Committee’s priorities should be this year. Josh Blair highlighted two recommended focus areas: the reestablishment of the Joint Authorization Board (JAB) or a similar body as well as a refocus on vulnerability management to identify risks. Public comment portion concluded at 10:10 a.m.

Presentation – OMB Draft Memo Updates

Drew Myklegard, Deputy Federal CIO, Office of the Federal CIO, Office of Management and Budget

Drew Myklegard spoke about the level of OMB leadership that is committed to FedRAMP and its mission, and how OMB is committed to building further relationships with the Committee members on the FSCAC board. He also gave updates on the OMB policy and asked for feedback from FSCAC on three specific areas: 1) FedRAMP and small businesses, 2) cost around the FedRAMP process (how much it costs for an agency to bring in a CSP and how much it costs for a CSP), and 3) metrics, specifically around transparency on the OMB side to improve FedRAMP over time while also providing the most value to CSPs.

Presentation – FedRAMP Roadmap in Response to Updates on OMB Draft Memo

Eric Mill, Executive Director for Cloud Strategy at General Services Administration (GSA); Zaree Singer, Agency Engagement Lead at FedRAMP; and Ryan Palmer, Senior Technical and Strategic Advisor at FedRAMP

Eric Mill introduced the FedRAMP 2024-2025 Roadmap and stated that this is what the program will use to help prioritize their goals this year. Zaree Singer explained that the roadmap is meant to be a response to FedRAMP’s stakeholders, and will help to organize FedRAMP’s strategic goals and will help to publicly communicate these changes in the program. She then introduced the four specific goals of the roadmap: customer experience, being a leader in cybersecurity, scaling the size and scope of a trusted FedRAMP Marketplace, and increasing the program’s effectiveness. Ryan Palmer then presented a detailed overview of each of these four goals, listing the challenges of each goal and what FedRAMP will deliver first within each goal. Zaree then explained the benefits this roadmap will provide to FedRAMP’s customers.

Committee Q&A

FSCAC Membership

Questions from FSCAC members centered around funding, timelines around the roadmap, the use of SaaS with the changes in the roadmap, automation efforts and how FedRAMP assesses technical controls to inform compliance, centralizing ConMon, reciprocity, interpretations of controls and requirements to maintain common language, the revision process of the roadmap, the Red Teaming Assessment Framework, and pushing Moderate and High impact levels of Authority to Operate (ATOs).

Panel Discussion – 3PAO Stakeholder Experience

Kratos’ Vice President of Cybersecurity Services Jim Neidich; A-Lign’s Director of Quality Management
Lee Neeper; and FSCAC members

Jim and Lee discussed their experiences as 3PAO stakeholders. Questions from FSCAC members centered around their experiences with assessments without consultation, showstoppers that CSPs encounter and communication challenges during authorization process, challenges during the authorization phase itself,
challenges unique to small businesses, FIPS, MFA concerns, gaining and maintaining trust between vendor and assessor, improving package quality to help CSPs get through the authorization process faster, showing the value of the 3PAO to the PMO and consensus on what a 3PAO recommendation means, conditions needed for a CSP to build out a cloud offering, Cybersecurity Maturity Model Certifications (CMMCs), how to quickly communicate FedRAMP guidance and current requirements, metrics and data collection, incorporating binding operational directives (BODs) into compliance assessments, software attestation requests, how can AI assist CSPs and affect FedRAMP controls, updated Rev 5 templates, and Red Team Pen Test.

Deliberations and Vote on Committee’s Next Priorities

FSCAC Membership

The Committee deliberated on which priorities to focus on going forward. Numerous priorities were drafted, to include reviewing the implementing and communicating the OMB memo, following through on 2023 initiatives, and recommending metrics for FedRAMP. Members proposed additional ideas around small business concerns, AI privacy and BOD compliance concerns, addressing current baseline issues before focusing on improvement, how the FedRAMP roadmap will be implemented, transitioning to new authorization paths such as agile authorizations, modular risk acceptance, a knowledge base organically built from multi-stakeholders, and how to grow the 3PAO marketplace. The Committee also discussed implications of the establishment of the FedRAMP Board, including authorizations previously done by the JAB, and the benefits and drawbacks of reciprocity. Mike Varcica proposed tallying top priorities via Smartsheet ahead of the next meeting.

Motion and Votes

Branko Bokan made a motion to delay selecting a priority until additional information is received. Jackie Snouffer seconded.

• Ann Lewis – Support
• Bo Berlas – Support
• Branko Bokan – Support
• Daniel Pane – Support
• Bill Hunt – Support
• John Greenstein –Support
• Joshua Cohen –Support
• Matt Scholl – Support
• Nauman Ansari – Support
• Jackie Snouffer – Support
• La Monte Yarborough – Support
• Marci Womack –Support
• Mike Vacirca – Support

Closing Remarks and Adjourn

Michelle White, FSCAC DFO and Ann Lewis, FSCAC Chair

Ann Lewis began closing remarks by complimenting the Committee on a great discussion. Michelle White adjourned the meeting at 2:59 p.m.

Committee Members in Attendance

• Ann Lewis (Chair)
• Bill Hunt
• Bo Berlas
• Branko Bokan
• Daniel Pane (virtual)
• Jackie Snouffer
• Jim Beckner III
• John Greenstein
• Joshua Cohen
• La Monte Yarborough (virtual)
• Marci Womack
• Matt Scholl
• Michael Vacirca
• Nauman Ansari
• Ravi Jagannathan

Guest Speakers and Presenters

• Jim Neidich, Kratos Defense
• Lee Neeper, A-Lign
• Eric Mill, GSA
• Zaree Singer, FedRAMP
• Ryan Palmer, FedRAMP
• Drew Myklegard, OMB

FSCAC Support Staff Present

• Michelle White, Designated Federal Officer
• D’Arcy Steiner, FSCAC Support Team
• Clifton Johnson, FSCAC Support Team
• Theresa West, FSCAC Support Team
• Margaret McKenna, FSCAC Support Team
• Megan Gallo, FSCAC Support Team
• Jake Ahearn, FSCAC Support Team
• Kirah Hopkins, FSCAC Support Team
• Matthew Silber, FSCAC Support Team
• Taylor Juneau, FSCAC Support Team
• Cristina Brydges, FSCAC Support Team

Full Attendees

• Josh Blaher, Red Hat
• David Waltermire, GSA
• Madison Cevallos, Gordian
• Jasmine Mathew, ISA
• Tara Houlden, Red Hat
• Stephanie Harris, Red Hat
• Charles Sheridan, Red Hat
• Christian Baer, Schellman
• Josh Krueger, Project Hosts Inc.
• Chelsey Hickman, WSW
• James Masella, Coalfire
• Matti, Pearce, Absolute Software
• Jon Stevens, Absolute Software
• Justin Doubleday, Federal News Network
• Sean Connelly, CISA
• MacKenzie Robertson, GSA
• Mary Suman, Elevance Health
• Peter Burkholder, GSA
• Jake Corzine, SS&C Innovest
• John Gallagher, Microsoft
• Andrea Hopkins, DSS Inc.
• Loren Buhle, DNAnexus
• Melissa Prager, Microsoft Azure
• Katherine Manfre, Manhattan Associates
• Kade Hennings, Code42
• Ann Marie Keim, Lone Rock Point
• Nikunj Savaliya, Motorola Solutions Inc.
• Ryan Edwards, Motorola Solutions
• RoxAnne Nobles, Relativity
• Adam Papilsky, MSI
• Richard Verrill, Excentium, Inc.
• Steve Boddy, Avature
• Jenny Manner, Leidos
• Steven Hopkins, Microsoft
• Jack Swearingen, CircleCI
• Bhanu Jagasia, bladestack.io
• Bo Berlas, GSA
• Ross Nodurft, ADI
• William Suthoff, DSS Inc.
• Brittany Clore, Microsoft
• James Nwaneri, Motorola Solutions, Inc.
• Alex Hayes, DSS Inc.
• Joe Baum, Motorola Solutions, Inc.
• John Hamilton, FedRAMP
• Mark Shahaf, Motorola Solutions, Inc.
• Michael Milburn, Motorola Solutions, Inc.
• Rylan Crosby, Elevate Government Affairs
• Ellen Alarie, DSS Inc.
• Justin Padilla, Kratos Defense
• Amanda King, DSS Inc.
• Emmanuel Oluwole, Illumio
• Abe Emnetu, Microsoft
• Brittany Smith, Microsoft
• Denise Blackerby, DSS Inc.
• Carol Bales, OMB
• Paola Brown