Federal Secure Cloud Advisory Committee May 25, 2023 public meeting agenda and minutes

May 25 from 9:30 a.m.- 4 p.m. Eastern time

Ronald Reagan Building and International Trade Center, 1300 Pennsylvania Ave NW, Washington, D.C. 20004 and via Zoom

Agenda

Call to Order: Welcome and Roll Call. FACA Public Meetings

Michelle White, Designated Federal Officer (DFO)

Michelle White, Designated Federal Officer (DFO), explained her role and duties on this advisory committee, and introduced the rest of the committee, including their training and credentials. Michelle White stated, “This advisory committee is considered a federal advisory committee under FACA. My role is to administer day to day activities. My duties are to share with the GSA Administrator the Committee’s recommendations on the adoption of Secure Cloud services. Each committee member has gone through FACA training and had training on ethics.”

Round Robin of Committee Members

FSCAC Membership

All except one committee member was present in person and introduced themselves by name and organization. Victor Brown was present virtually and introduced himself by name and organization.

GSA Leadership Remarks

Robin Carnahan, GSA Administrator

Robin Carnahan, GSA Administrator, expressed her excitement to greet the inaugural committee members and expressed her gratitude for their service to the country. She expressed that the U.S. Government serves as a service delivery business and that the efficacy with which the government delivers those services directly relates to the public’s trust in the government. The best way to deliver these services is often digitally through Secure Cloud Services (CSPs), which is why the work that is done with the Federal Risk Management Program (FedRAMP) is long and will last.

She emphasized the importance of securing and protecting federal data while also striving to create a process that is scalable, efficient, and affordable. Ms. Carnahan also expressed the importance for FedRAMP and FSCAC to set an example for State and Local governments on how to best secure their own cloud services. She closed her remarks by reiterating the importance of the Committee’s work and how it will continue to foster trust between the public and their government.

GSA FAS Leadership Remarks

Sonny Hashmi, Commissioner, Federal Acquisition Service (FAS)

Sonny Hashmi, Commissioner of the Federal Acquisition Service, described the current challenges that come from the expanding use of the cloud and the rapidly growing number of cloud service providers . He stressed the importance of creating a process that can leverage the capabilities and innovation of the market. He concluded by noting that the work of the committee spans across government, business, and those across the country, so their focus should be on continuing to evolve the program to address the growing demand for authorization among CSPs and remaining diligent and dedicated to monitoring them even after authorization.

Chair Remarks

Ann Lewis, Chair

Ann Lewis, Chair of the advisory committee, introduced herself, shared a high level overview of her professional background and experience, and summarized the duties of her role on the committee. She then stated the purpose of the FedRAMP program, and highlighted the maturity of the program over the past few years. Ann explained how the work of FedRAMP is essential in the government, and how the addition of this committee will help increase the number of Cloud Service Providers that FedRAMP supports, which will increase the success of the program. She then explained the importance of today’s meeting because it brings together the government and the industry experts.

FSCAC Charter

Ann Lewis, Chair

Ann Lewis reviewed the charter with the committee, noting the scope and boundaries of FSCAC. She emphasized the role that the committee plays in examining current federal operations and making recommendations to the GSA administrator. Using the defined scope, she encouraged the committee’s advice to be sector or market-wide instead of focusing on any one company. She closed by asking the committee if they had any questions on the charter, to which there were none.

FedRAMP Program Briefing

Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP

Brian Conrad, who joined the Federal Risk Management Program in 2018, provided an overview of the program and its strategic initiatives. The program’s mission is to promote secure cloud service adoption and expand the marketplace. The aim is to grow the marketplace and enable access to diverse cloud services. The agency authorization process involves standardized guidelines and a repository for sharing assessment packages. The FedRAMP Board, along with the Joint Authorization Board (JAB), plays a crucial role in authorizing cloud service providers. The marketplace currently has 307 authorized CSPs, with a trend towards high-impact systems. The program focuses on automation, process transformation, and knowledge sharing. The Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis highlighted strengths in stakeholder collaboration, weaknesses in time and cost, threats from the evolving threat landscape, and opportunities for market expansion and process improvement.

FedRAMP Program Briefing: Committee Q&A

Brian Conrad, Acting Director/Cybersecurity Program Manager of FedRAMP
FSCAC Membership

In this committee Q&A session, several key points related to FedRAMP were discussed. The participants touched on various aspects, including partnerships with other countries, the National Institute of Standards and Technology’s (NIST) involvement, conformance program ratios, the importance of human interaction for small businesses, lowering entry barriers while maintaining security, preferences for software as a service (SaaS) over infrastructure as a service ( IaaS), resource challenges, authorization timelines and costs, the impact of the number of authorized CSPs, and statutory discussions for market accessibility.

Planned developments, such as OMB MAX sunset and customer relationship management (CRM) tool implementation, were mentioned, along with challenges in continuous monitoring and the need to update the aging FedRAMP process. The conversation also addressed leveraging automation, knowledge sharing efforts, weaknesses of FedRAMP, international discussions, and the integration of new technologies.
Standardization, Service Level Agreements (SLAs), and alignment with other regulations were considered as potential areas for improvement.

Future OMB Memo Briefing

U.S. Office of Management and Budget, Office of the Federal Chief Information Officer (OMB or Federal CIO)

Michelle introduced Eric Mill and Drew Myklegard from the Federal CIO. The individual committee members were permitted to ask them questions, but their input will not be considered FSCAC advice. OMB briefed the committee on FedRAMP and its evolution since 2011, expanding beyond IaaS to include platform as a service (PaaS) and SaaS. OMB’s role is to assist FedRAMP in adapting to the larger cloud marketplace. The governance involves the JAB and Agencies, and OMB aims to help the FedRAMP Board determine priorities and understand implications. Michelle then opened the floor for questions.

Future OMB Memo Briefing: Committee Q&A

OMB Office of Federal CIO FSCAC Membership

The participants discussed various important areas for the future FedRAMP Board to focus on in relation to FedRAMP. These areas included: allowing agencies faster access to increase scalability, reducing duplicative processes and lack of trust between agencies, modernizing security controls for the FedRAMP process, considering the evolving nature of the threat landscape, unifying disparate policy areas under one roof, expanding Open Security Controls Assessment Language (OSCAL) and investing in it, protecting data and monitoring it across authorization boundaries, addressing the challenges of increasing the FedRAMP Board’s size, improving efficiency through SLAs and triaging new controls, evaluating the sufficiency of NIST controls for artificial intelligent (AI) systems, clarifying and tightening controls for SaaS adoption, revisiting and making FedRAMP authorization more specific, incorporating essential shared security solutions, streamlining the authorization process, providing more frequent guidance updates, exploring tiering and customization for changes, addressing redundancy and delays in the authorization process, accommodating agency exceptions and low-impact SaaS solutions, seeking reciprocity and exploring the role of third parties, and creating opportunities for small businesses and faster testing of their products.

Discussion and Prioritization of Initiatives

FSCAC Membership

Michelle White, FSCAC DFO, opened the meeting by asking members to discuss their prioritization of initiatives. Members considered various factors, such as the order in which to tackle the initiatives and the next steps to make recommendations to the GSA Administrator. They suggested various areas of focus, like exploring market expansion, broadening the operational security focus with cloud service providers, and considering the role of Cyber Security Infrastructure Agency (CISA) beyond incident response. They also stressed the importance of starting with a small deliverable and building upon it. The need for automation, particularly in authorizations and continuous monitoring, is discussed due to its potential to save time and costs.

The members also discussed topics they would like to hear more about in future meetings, including insights from the Cloud Security Alliance and a threat-based monitoring approach. Potential next steps were mentioned, to include reviewing Governance and Risk Compliance (GRC) tools and exploring reciprocity requirements and CSP interactions. The timing of providing the compiled data and recommendations to the GSA Administrator were addressed, with the frequency of committee meetings determining the communication frequency.

The members requested access to existing documentation about the FedRAMP program, its issues, and where FedRAMP believes there is room for improvement, and expressed their interest in expanding on the federated authority to operate (ATO) concept and assisting with automation.

Public Comment

Members of the Public

Michelle White opened the discussion up to the public to share their comments, with each person having three minutes to speak.

Gaurav Pal from StackArmor, Inc. suggests a study to show the costs and savings of having an ATO with FedRAMP versus without and combining economic programs.

Tom Ruff from Deep Water Point and Associates urges the committee to help small businesses find sponsors and make the FedRAMP process less intimidating.

Matt Topper from UBERETHER, INC believes FedRAMP certification would make an immense difference in their process.

Teri Marlene Prince, CEO of Terida, a small business trying to achieve FedRAMP certification, highlights the cost and timeline difficulties of the process.

Summary of Next Steps

Ann Lewis, Chair

Ann Lewis notes that the committee members are not entirely aligned on the top priority yet, but future meetings should help to determine it. She thanked the members for their thoughtful contributions and looks forward to working with them. The work done by the committee will benefit both cloud service providers and public-private partnerships. Matt Scholl inquires about where they will meet in the future, and Michelle White suggests meeting remotely but leaves it open for discussion. Marci Womack asks about the TBD slot on the committee, and Ann Lewis explains that they are still in the process of making a member selection.

Closing Remarks and Adjourn

Ann Lewis, Chair, and Michelle White, DFO

Michelle White, FSCAC DFO, adjourned the meeting at 3:22pm.

Committee Members in Attendance

• Ann Lewis (Chair)
• Bill Hunt
• Bo Berlas
• Branko Bokan
• Jackie Snouffer
• John Greenstein
• Joshua Cohen
• LaMonte Yarborough
• Marci Womack
• Matt Scholl
• Michael Vacirca
• Nauman Ansari
• Ravi Jagannathan
• Victor Brown

Guest Speakers and Presenters

• Robin Carnahan, GSA
• Sonny Hashmi, GSA
• Brian Conrad, FedRAMP
• Drew Myklegard, OMB Office of Federal CIO
• Eric Mill, OMB Office of Federal CIO

FSCAC Support Staff Present

• Michelle White, Designated Federal Officer
• D’Arcy Steiner, FSCAC Support Team
• Kirah Hopkins, FSCAC Support Team
• Clifton Johnson, FSCAC Support Team
• Megan Gallo, FSCAC Support Team
• Taylor Juneau, FSCAC Support Team
• Theresa West, FSCAC Support Team
• Jake Ahearn, FSCAC Support Team
• Zarina Neff, FSCAC Support Team
• Alicia Ouderkirk, FSCAC Support Team
• Ashley Kimbell, FSCAC Support Team
• MacKenzie Robertson, GSA Committee Management Officer
• Cindy Kim, Captioner
• Sophie Yesuneh, ASL Interpreter
• Josephine Johnston, ASL Interpreter
• Armstrong Knight, ASL Interpreter

Full Attendees

• Aaron Hamlin, Armavel, LLC
• Andrea Bowling, GSA
• Andrew Scherer, Carahsoft
• Andrew Lins, FedRAMP PMO / Noblis
• Betsy Steele, US GSA
• Carol Bales, OMB
• Christian Baer, Schellman
• Claudio Belloli, Cisco System, Inc.
• Colton Bohn, Axon Enterprise, Inc.
• Craig Abod, Carahsoft
• Cristina Brydges, TTS / GSA
• Dang Nguyen, Pitney Bowes
• Daniel Alvarado, Sheppard Mullin
• Gaurav Pal, stackArmor, Inc.
• Grace Williams, Monument Advocacy
• Ian Bell, The Coalition for Government Procurement
• Jessica Salmoiraghi, BSA
• Jim Masella, coalfire
• Joel Hinzman, Oracle
• John Santore, Kratos
• John Hamilton, GSA
• Julie Dunne, Monument Advocacy
• Justin Padilla, Kratos
• Karen Laughton, Coalfire
• Kelsey Kober, HP Inc.
• Kevin Carr, Palantir
• Lauren Lombardo, House Committee on Oversight and Accountability
• Leopold Wildenauer, Information Technology Industry Council
• Matt Topper, UBERETHER, INC
• Matt Hungate, Schellman
• Matthew Burrell, GSA
• Matthew Chaiko, Coalfire
• Matthew Cornelius, N/A
• Natalya Rashchupkina, Absolute Software
• Nathaniel Sykes, R&K Solutions, Inc.
• Nicholas Passerini, Riverbed Technology
• Nick Rundhaug, Schellman
• Omid Ghaffari-Tabrizi, Google
• Richard Beutel, Cyrrus
• Richard Brown, Genesys
• Robert Shields, ITTA, Inc.
• Rocky Campione, AWS
• Ross Nodurft, Alliance for Digital Innovation
• Ryan Hoesing, GSA
• Samantha Holt, Madison Services Group, Inc
• Shanden Delamater, Genesys Cloud
• Shawn Frederickson, Sumo Logic
• SK Bhachech, Riverbed Technology LLC
• Star Vanamali, GSA
• Stephen Halbrook, Schellman
• Team Frank Media
• Teri Marlene Prince, Terida
• Terry Humphries, GTP Software, Inc.
• Thomas Voshell, Coupa Software Inc
• Tom Volpe Sr
• Tom Ruff, Deep Water Point and Associates
• William Chapman, GSA/FAS/OPC
• Adam Smith, Coalfire
• Adam Shnider, Coalfire
• Ali Monfre
• Alison Kohler
• Baldino David
• Bill Fanelli, FedRAMP PMO
• Bridget Dorward, FedRAMP PMO
• Cynthia Bergevin, GSA
• Dmitriy Layvand
• Drew Scherer, Carahsoft Technology Corp.
• Erika Ostergaard, FedRAMP PMO
• Gennie Duncan, GSA, OCIA
• Jennifer Carlson, Noblis for FedRAMP
• Jim Mueller, AWS
• Jin Park, GSA
• John Pugh, Noblis
• Laurie Southerton, FedRAMP
• Mark Podoff, Federal Mine Safety Health Review Commission (FMSHRC)
• Matt Hungate, Schellman
• Mike McCalip, Carahsoft Technology Corp
• Peter Burkholder, GSA
• Rich Brown, Genesys
• Robert Wuhrman, GSA
• Saeed El
• Sam Leestma, Noblis
• Sara Friedman, Inside Cybersecurity
• Yasmine Iddrisu, GSA