July 20, 2023 from 1 p.m. to 5 p.m. Eastern time
Virtual location: Zoom
Agenda
|
Allotted time
|
Topic
|
Presenter
|
|
1:00-1:10 p.m.
|
Call to order
Welcome and roll call
FACA public meetings
|
Designated Federal Officer Michelle White |
| 1:10-1:15 p.m |
Introduction of new committee member(s) |
FSCAC members |
| 1:15-1:25 p.m. |
Chair Remarks |
Federal Secure Cloud Advisory Committee Chair Ann Lewis |
| 1:25-2:25 p.m. |
FedRAMP Program Briefing |
Acting Director/Cybersecurity Program Manager of FedRAMP Brian Conrad |
| 2:25-2:45 p.m. |
Committee question-and-answer |
Acting Director/Cybersecurity Program Manager of FedRAMP Brian Conrad and FSCAC members |
| 2:45-3:00 p.m. |
Break |
|
| 3:00-3:30 p.m. |
Cloud Security Alliance Briefing |
Cloud Security Alliance CEO Jim Reavis |
| 3:30-3:45 p.m. |
Committee question-and-answer |
Cloud Security Alliance CEO Jim Reavis and FSCAC members |
| 3:45-4:00 p.m. |
Discussion on priority areas identified in May FSCAC meeting |
FSCAC members |
| 4:00-4:15 p.m. |
Public comment (limit of three minutes per speaker) |
Members of the public |
| 4:15-4:45 p.m. |
Discussion on priority areas and prioritization of initiatives |
FSCAC members |
| 4:45-4:50 p.m. |
Committee vote on the prioritization of initiatives |
FSCAC members |
| 4:50-4:55 p.m. |
Summary of next steps |
FSCAC Committee Chair Ann Lewis |
| 4:55-5:00 p.m. |
Closing remarks and adjourn |
FSCAC Chair Ann Lewis and DFO Michelle White |
Call to Order: Welcome and Roll Call, FACA Public Meetings
Michelle White, Designated Federal Officer (DFO)
Michelle described the duties of the committee and the committee members individually. She completed a role call and determined that a quorum had been established.
Roll Call:
- Ann Lewis – Here
- Michael Vacirca – Absent (showed up after roll call)
- Ravi Jagannathan – Here
- John Greenstein – Here
- Jim Beckner III – Here
- Marci Womack – Here
- Branko Bokan – Here
- Matt Scholl – Absent
- Bo Berlas – Here
- La Monte Yarborough – Here
- Nauman Ansari – Here
- Jackie Snouffer – Here
- Bill Hunt – Here
- Joshua Cohen – Here
Michelle reviewed the agenda of the meeting and announced that there will also be an open forum at the end of the meeting for questions from the public with three minutes allotted for each speaker.
Introduction of New Committee Member(s)
FSCAC Membership
Jim Beckner III was introduced. Jim is the FedRAMP/AWS Cloud Security Officer at T-Metrics and the newest representative member of FSCAC, representing the viewpoints of a small unique business that provides cloud computing products or services.
Chair Remarks
Ann Lewis, FSCAC Chair
Ann described the duties, purposes, vision, and goals of the committee and program. She discussed her role and her commitment to take back any feedback discussed in this meeting to the GSA Administrator. She also informed the committee that Victor Brown is no longer a committee member and that his replacement will be announced in the near future.
FedRAMP Program Briefing
Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP
Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP, began the presentation with an overview of the current FedRAMP Authorization Process. He described the high-level steps for the two paths, Agency Authorization and JAB Authorization, and the differences between them. Brian also discussed current stakeholder pressure points related to the authorization process and explained the increased demand in the program. Details were provided about the program modernization efforts and the future state outcomes to better meet the customer needs and increase in demand.
Key takeaways:
- FedRAMP’s top priority is program modernization and is focused on redesigning the authorization paths while introducing more automation into systems and processes.
- FedRAMP is investing in the necessary tools and resources to optimize the program to meet increased demand and the evolving needs of our customers.
- As FedRAMP continues to operationalize the FedRAMP Authorization Act, continuous engagement with their stakeholders will be critical as the program grows and evolves.
- FedRAMP looks forward to insights the FSCAC will be able to provide GSA to help grow, mature, and optimize the program.
Committee Q&A
Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP
There was an open forum Q&A Session where the FSCAC Members asked Acting FedRAMP Director, Brian Conrad, questions around the future vision of the FedRAMP Program. Many of the questions focused around the automation initiatives of the program, such as OSCAL, threat-based methodology, CDM dashboarding, and the new GRC.
Cloud Security Alliance Briefing
Jim Reavis, CEO, Cloud Security Alliance
Jim Reavis presented on Cloud, State of the Art Cybersecurity & Best Practices. He started the presentation by first introducing Cloud Security Alliance and what type of organization they are. Following that, he introduced Cloud security concerns from enterprise CISOs, CISO expectations for CSPs and what they are looking for from CSP leadership, a survey recap on some of the concerns regarding cloud security, and emphasis on Zero Trust training.
Jim showcased a mock FedRAMP moderate authorization boundary and showed how to do some role-based access request and deny inquires to synthetic employee data, showing how to build a true, cloud-native concept system.
He then finished the presentation discussing the ongoing research on cybersecurity and wrapped up by introducing generative AI, security concerns around AI, and initial impressions and takeaways on how to address these concerns.
Committee Q&A
Jim Reavis, CEO, Cloud Security Alliance
FSCAC Membership
Jim opened the floor for questions from the Members. Some of the main questions pertained to security requirements, generative AI and enterprise adoption, and policies and trainings regarding generative AI.
Discussion on Priority Areas Identified in May FSCAC Meeting & Prioritization of Initiatives
FSCAC Membership
FSCAC members discussed their top priorities and initiatives and the next steps to tackle them. The following are the top priorities and initiatives identified by the members: Operational focus around CSPs, ConMon process improvement, (CSP) Authorization process improvements, understanding Rev. 5 baselines, and O&M foundations.
Public Comment
Members of the Public
The committee welcomed comments from members of the public. Comments were provided by two individuals. One comment encouraged the committee to consider budget and workforce as one of the priorities, helping to ensure that the FedRAMP PMO has the necessary resources to execute on mission. The other comment raised concerns around the increase in demand for defense-based companies and their limited understanding of the FedRAMP process.
Discussion on Priority Areas Identified in May FSCAC Meeting & Prioritization of Initiatives
FSCAC Membership
The Committee made a motion to vote on selecting the topics that would become the prioritized focus areas for the Committee. Jim Beckner motioned that the CSP Authorization Improvements be selected as a priority, and Michael Vacirca seconded the motion. Michael Vacirca motioned for ConMon Process Improvements to be another priority, and Ravi Jagannathan seconded the motion. Jackie Snouffer motioned that Automation Initiatives and Opportunities be the third priority, and Bo Berlas seconded the motion.
Committee Vote on the Prioritization of Initiatives
FSCAC Membership
A roll call vote was taken on pursuing and prioritizing all three topics above concurrently. The vote was unanimous with each committee member voting in favor.
Vote:
- Ann Lewis – YEA
- Michael Vacirca – YEA
- Ravi Jagannathan – YEA
- John Greenstein – YEA
- Jim Beckner III – YEA
- Marci Womack – YEA
- Branko Bokan – YEA
- Matt Scholl – Absent
- Bo Berlas – YEA
- La Monte Yarborough – YEA
- Nauman Ansari – YEA
- Jackie Snouffer – YEA
- Bill Hunt – YEA
- Joshua Cohen – YEA
Summary of Next Steps
Ann Lewis, FSCAC Chair
Ann Lewis, FSCAC Chair, discussed next steps, which includes reporting back to the GSA Administrator on the prioritized focus areas. The Committee will develop specific initiatives and gather more information about the CSP experience and their expectations of the FedRAMP Program. Ann Lewis thanked members for their participation and reiterated that this is an exciting public-private partnership, essential for ensuring the government is serving the public.
Closing Remarks and Adjourn
Ann Lewis, FSCAC Chair
Michelle White, DFO
Michelle White, FSCAC DFO, adjourned the meeting at 4:20pm.
Committee Members in Attendance
- Ann Lewis (Chair)
- Bill Hunt
- Bo Berlas
- Branko Bokan
- Jackie Snouffer
- Jim Beckner III
- John Greenstein
- Joshua Cohen
- La Monte Yarborough
- Marci Womack
- Michael Vacirca
- Nauman Ansari
- Ravi Jagannathan
- Victor Brown
Committee Members Absent
Matt Scholl
Guest Speakers and Presenters
- Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP
- Jim Reavis, CEO, Cloud Security Alliance
FSCAC Staff Present
- Michelle White, Designated Federal Officer
- Clifton Johnson, FSCAC Support Team
- Theresa West, FSCAC Support Team
- Zarina Neff, FSCAC Support Team
- Taylor Juneau, FSCAC
- Kirah Hopkins, FSCAC Support Team
- Jake Aheaern, FSCAC Support Team
- Megan Gallo, FSCAC Support Team
Members of the Public Present
- Ryan Hoesing, GSA
- Ardy Shahriari, ORCA Security
- Abigail St. Louis, Big City Captions
- Pam Walker, VMware
- Ross Nodurft, Alliance 4 Digital Innovation
- Ray Fry, Bluescape
- Banessa Moradi, GSA
- Madison Cevallos, Gordian
- Peter Burkholder, GSA
- Matthew Pincus, Workday
- James Hochadel, GSA
- Cynthia Bergevin, Noblis
- Alla Seiffert, Amazon
- Julie Dunne, Monument Advocacy
- Matthew Goodrich, Schellman
- Dennis Hutton, Schellman
- Stephen Halbrook, Schellman
- Matt Hungate, Schellman
- Corey Stall, Schellman
- Jim Masella, Coalfire
- Andrew Bowling, GSA
- Ronald Kahn, N/A
- Tyler Hardy, Elevate Government Affairs
- Bridget Dorward, Noblis
- Christian Baer, Schellman
- Teri Marlene Prince, Terida
- Cristina Brydges, GSA
- Johnathan Lemay, T-Metrics
- Samuel Aydlette, Cisco
- Hazem, Amazon
- Luke O’Grady, ITTA
- Brendan Peter, Security Scorecard
- Omid Ghaffari-Tabrizi, Google
- Laura Navaratnam, CSP-AB
- Costa Hasiotis, Armavel
- Rebecca Pselos, Kite Tail Strategy
- Ashley Kamauf, A2LA
- Daniel Alvarado, Sheppard Mullin
- Jacqueline Babaian, Microsoft
- Hidayatullah Ahsan, Techicon
- MacKenzie Robertson, GSA
U.S. General Services Administration