Federal Secure Cloud Advisory Committee Nov. 14, 2024 public meeting agenda and minutes

The Federal Secure Cloud Advisory Committee is scheduled to meet from 12 to 3:00 p.m. Eastern time on Nov. 14. Register for this virtual meeting if you plan to attend.

Location: Zoom

Call to order

Michelle White, FSCAC designated federal officer

Michelle White called the meeting to order and introduced the purposes and outcomes of the meeting. She welcomed members of the public attending & thanked those who left public comments. A quorum was established.

Roll call

• Larry Hale – Present
• Mike Vacirca – Present
• Carlton Harris – Not Present
• Kayla Underkoffler – Present
• Josh Krueger – Present
• Daniel Pane – Present
• Marci Womack – Present
• Branko Bokan – Not Present
• Matt Scholl – Present
• Bo Berlas – Present
• La Monte Yarborough – Present
• Nauman Ansari – Not Present
• Jackie Snouffer – Present
• Bill Hunt – Present
• Joshua Cohen – Not Present

Public comment

Members of the public

During the public comment session, three key issues were raised by stakeholders regarding the FedRAMP program. Hazem Eldakdoky, representing the Cloud Service Provider (CSP) community, voiced concerns about FedRAMP’s static risk management triggers for vulnerability management. He noted that the current system, which applies the same deficiency triggers regardless of CSP scale, unfairly escalates smaller issues in larger CSP environments. He urged the committee to consider adaptive triggers based on scale.

Laura Navaratnam, Executive Director of the Cloud Service Provider’s Advisory Board, highlighted the challenge of limited reciprocity between FedRAMP and DoD cloud environments, which results in inefficiencies for high-security workloads. She suggested that aligning DoD’s IL4 and IL5 standards with FedRAMP would streamline processes, enabling DoD workloads to benefit from FedRAMP’s modernization efforts and more agile change management.

Lastly, David Zvenyah, a principal at Tandem Gov, emphasized the need for improved transparency on FedRAMP’s marketplace regarding authorization timelines, which could help CSPs make better investment decisions by providing more detailed insights into authorization queue status and review stages.

Each speaker requested the committee consider recommendations to address these challenges, ultimately aiming to refine the FedRAMP program’s efficiency and responsiveness.

Chair remarks

Larry Hale, FSCAC chair

Larry opened the meeting with a recap of priorities and prior discussions. In July, the committee refined its top two priorities, beginning to develop recommendations, while deferring two additional priorities from the GSA Administrator until the initial ones are addressed. During the October 3 meeting, the committee agreed to retain last year’s report structure, drafting initial problem statements and recommendations. Today’s focus will be on drafting and refining these recommendations, with the understanding that nothing is final until an official vote. Additionally, FedRAMP will present updates in the new year, and requests for future speakers are welcome to support the committee’s work on subsequent priorities. An update on establishing a LinkedIn presence for FSCAC was also provided.

Deliberations: sharing individual discovery and developing initial recommendations

FSCAC membership

Committee members focused on refining Priority #1 of FSCAC’s recommendations to reduce barriers and expedite the authorization process for Cloud Service Providers (CSPs). Key points included the need for clearer guidance on the CSP-controlled aspects of authorization and acknowledgment of delays within agency review processes. Members emphasized the importance of setting clear expectations and providing prescriptive guidance on prerequisites, timelines, and costs to help CSPs navigate FedRAMP requirements more effectively. Additionally, the group discussed funding and resource challenges that hinder agency sponsorship, exploring alternative solutions like reciprocity with programs such as StateRAMP and DoD IL4/IL5, as well as potential fee-based models to support program capacity. The conversation underscored the goal of maintaining high security standards while making FedRAMP processes more accessible and efficient for diverse organizations.

Deliberations: sharing individual discovery and developing initial recommendations (part 2)

FSCAC membership

The committee reviewed Priority #2, focusing on recommendations to expedite the FedRAMP authorization process while balancing security requirements and agency resource constraints. Discussions emphasized the importance of maintaining robust security controls to prevent duplicative work and avoid burdening agencies with unnecessary reauthorizations. Members debated the value of an authorization model, which would allow agencies to use CSPs with a partial FedRAMP review for lower-risk applications, contingent on individual agency risk assessments.

The committee also discussed ways to support agencies in authorizing CSPs, including cost-sharing or incentive models to alleviate financial barriers. However, members expressed concerns that such models could inadvertently favor large CSPs over smaller businesses and discussed potential frameworks to ensure equity in any future financial support model. The meeting concluded with an invitation for members to brainstorm ethical and equitable approaches to cost-sharing, to be further discussed at the next meeting.

Next steps, closing remarks and adjournment

Larry Hale, FSCAC chair, and Michelle White, FSCAC DFO

Larry thanked the committee for their participation today, and the committee noted several next steps based on the day’s conversation. Larry thanked the committee and speakers again and expressed that he is looking forward to continuing the discussion. Michelle White adjourned the meeting at 2:57 p.m.

Certification of chair

I hereby certify that, to the best of my knowledge, the foregoing minutes of the proceedings are accurate and complete.

Digitally signed:
Lawrence Hale 11/15/2024

Appendix A

Committee members in attendance

Larry Hale (Chair)
Mike Vacirca
Kayla Underkoffler
Daniel Pane
Marci Womack
Branko Bokan
Matt Scholl
Bo Berlas
La Monte Yarborough
Bill Hunt
Jackie Snouffer
Josh Krueger

Committee members absent

Carlton Harris
Nauman Ansari
Joshua Cohen

FSCAC staff present

Michelle White, Designated Federal Officer
D’Arcy Steiner, FSCAC Support Team
Clifton Johnson, FSCAC Support Team

GSA staff present

MacKenzie Robertson, GSA
Tam Nguyen, FedRAMP
AJ Stein, FedRAMP
Megan Gallo, FedRAMP
Pete Waterman, FedRAMP
Ryan Hoesing, FedRAMP
Sam Aydlette, FedRAMP
Dave Waltermire, FedRAMP
John Hamilton, FedRAMP
Marcia Simms, FedRAMP
Ryan Palmer, FedRAMP
Theresa West, FedRAMP
Zaree Singer, FedRAMP

Members of the public present

Christine Biggs
Madison Cevallos
David Callner, INCATech Corp
Faqir Ahmed, CVP Corp
Jim Masella, Coalfire
Trevor Lowing, DFC
Dani Hillmer, Sentinel One
John Smail, Amazon
Jessica Salmoiraghi, BSA
Tom Leithauser, Wolters Kluwer
Wesley Callahan, DRT Strategies
Alicia Telle
Debra Rath, Cummins
Jennifer Kerber, Socure
David Zvenyach, Tandem Gov
Duressa Aliye, NCR Gov
Fahad Arshad, Broadcom
Darryl Purdy, Census
Mitch Herckis, Wiz.io
Ben Diliberto, Wiz.io
Ted Harwood, Moveworks
Laura Navaratnam, CSP-AB
Roger Gaffey, IBM
Rico McGee, Oracle
Thomas Hoffecker, SAP NS2
Sanjiev Chattopadhya, Broadcom
Pavel Shlikov, Salesforce
Abe Emnetu, Microsoft
Ryan Nash, Carahsoft
Drew Scherer, Carahsoft
Thomas Brown, Broadcom
Rodney Nelson, Google
Orlie Yaniv, Gigamon
Meghan Guiney, Project Hosts
Richard Beutel, Cloud Maven
Hazem Eldakdoky, Amazon
Ayman Shehata, Broadcom
Irfan Nawaz, Salesforce
Tom Cowles, Box
Christopher Wood, W Core
Jeejo John K, Rediffmail
Annabelle Thompson, Captioner