An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
( )
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
May 25 from 9:30 a.m.- 4 p.m. Eastern time
Ronald Reagan Building and International Trade Center, 1300 Pennsylvania Ave NW, Washington, D.C. 20004 and via Zoom
| Allotted time | Topic | Presenter |
|---|---|---|
| 9:30-9:45 a.m. | Call to order Welcome and roll call FACA public meetings | Designated Federal Officer Michelle White |
| 9:45-9:55 a.m. | Round robin of committee members | FSCAC members |
| 9:55-10:10 a.m. | GSA leadership remarks | GSA Administrator Robin Carnahan |
| 10:10-10:20 a.m. | GSA Federal Acquisition Service leadership remarks | GSA FAS Commissioner Sonny Hashmi |
| 10:20-10:30 a.m. | Chair remarks | FSCAC Chair Ann Lewis |
| 10:30-10:45 a.m. | FSCAC charter | FSCAC Chair Ann Lewis |
| 10:45-11 a.m. | Break | |
| 11-11:45 a.m. | FedRAMP program briefing | Acting Director and Cybersecurity Program Manager of FedRAMP Brian Conrad |
| 11:45 a.m.-noon | Committee question-and-answer | Acting Director and Cybersecurity Program Manager of FedRAMP Brian Conrad |
| Noon-1:15 p.m. | Break for lunch | |
| 1:15-2 p.m. | Future Office of Management and Budget memo briefing | OMB Office of the Federal CIO |
| 2-2:15 p.m. | Committee question-and-answer | OMB Office of the Federal CIO and FSCAC members |
| 2:15-3:15 p.m. | Discussion and prioritization of initiatives | FSCAC members |
| 3:15-3:45 p.m. | Public comment (limit of three minutes per speaker) | Members of the public |
| 3:45-3:50 p.m. | Summary of next steps | FSCAC Chair Ann Lewis |
| 3:50-4 p.m. | Closing remarks and adjourn | FSCAC Chair Ann Lewis and DFO Michelle White |
Michelle White, Designated Federal Officer (DFO), explained her role and duties on this advisory committee, and introduced the rest of the committee, including their training and credentials. Michelle White stated, “This advisory committee is considered a federal advisory committee under FACA. My role is to administer day to day activities. My duties are to share with the GSA Administrator the Committee’s recommendations on the adoption of Secure Cloud services. Each committee member has gone through FACA training and had training on ethics.”
All except one committee member was present in person and introduced themselves by name and organization. Victor Brown was present virtually and introduced himself by name and organization.
Robin Carnahan, GSA Administrator, expressed her excitement to greet the inaugural committee members and expressed her gratitude for their service to the country. She expressed that the U.S. Government serves as a service delivery business and that the efficacy with which the government delivers those services directly relates to the public’s trust in the government. The best way to deliver these services is often digitally through Secure Cloud Services (CSPs), which is why the work that is done with the Federal Risk Management Program (FedRAMP) is long and will last.
She emphasized the importance of securing and protecting federal data while also striving to create a process that is scalable, efficient, and affordable. Ms. Carnahan also expressed the importance for FedRAMP and FSCAC to set an example for State and Local governments on how to best secure their own cloud services. She closed her remarks by reiterating the importance of the Committee’s work and how it will continue to foster trust between the public and their government.
Sonny Hashmi, Commissioner of the Federal Acquisition Service, described the current challenges that come from the expanding use of the cloud and the rapidly growing number of cloud service providers . He stressed the importance of creating a process that can leverage the capabilities and innovation of the market. He concluded by noting that the work of the committee spans across government, business, and those across the country, so their focus should be on continuing to evolve the program to address the growing demand for authorization among CSPs and remaining diligent and dedicated to monitoring them even after authorization.
Ann Lewis, Chair of the advisory committee, introduced herself, shared a high level overview of her professional background and experience, and summarized the duties of her role on the committee. She then stated the purpose of the FedRAMP program, and highlighted the maturity of the program over the past few years. Ann explained how the work of FedRAMP is essential in the government, and how the addition of this committee will help increase the number of Cloud Service Providers that FedRAMP supports, which will increase the success of the program. She then explained the importance of today’s meeting because it brings together the government and the industry experts.
Ann Lewis reviewed the charter with the committee, noting the scope and boundaries of FSCAC. She emphasized the role that the committee plays in examining current federal operations and making recommendations to the GSA administrator. Using the defined scope, she encouraged the committee’s advice to be sector or market-wide instead of focusing on any one company. She closed by asking the committee if they had any questions on the charter, to which there were none.
Brian Conrad, who joined the Federal Risk Management Program in 2018, provided an overview of the program and its strategic initiatives. The program’s mission is to promote secure cloud service adoption and expand the marketplace. The aim is to grow the marketplace and enable access to diverse cloud services. The agency authorization process involves standardized guidelines and a repository for sharing assessment packages. The FedRAMP Board, along with the Joint Authorization Board (JAB), plays a crucial role in authorizing cloud service providers. The marketplace currently has 307 authorized CSPs, with a trend towards high-impact systems. The program focuses on automation, process transformation, and knowledge sharing. The Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis highlighted strengths in stakeholder collaboration, weaknesses in time and cost, threats from the evolving threat landscape, and opportunities for market expansion and process improvement.
In this committee Q&A session, several key points related to FedRAMP were discussed. The participants touched on various aspects, including partnerships with other countries, the National Institute of Standards and Technology’s (NIST) involvement, conformance program ratios, the importance of human interaction for small businesses, lowering entry barriers while maintaining security, preferences for software as a service (SaaS) over infrastructure as a service ( IaaS), resource challenges, authorization timelines and costs, the impact of the number of authorized CSPs, and statutory discussions for market accessibility.
Planned developments, such as OMB MAX sunset and customer relationship management (CRM) tool implementation, were mentioned, along with challenges in continuous monitoring and the need to update the aging FedRAMP process. The conversation also addressed leveraging automation, knowledge sharing efforts, weaknesses of FedRAMP, international discussions, and the integration of new technologies.
Standardization, Service Level Agreements (SLAs), and alignment with other regulations were considered as potential areas for improvement.
Michelle introduced Eric Mill and Drew Myklegard from the Federal CIO. The individual committee members were permitted to ask them questions, but their input will not be considered FSCAC advice. OMB briefed the committee on FedRAMP and its evolution since 2011, expanding beyond IaaS to include platform as a service (PaaS) and SaaS. OMB’s role is to assist FedRAMP in adapting to the larger cloud marketplace. The governance involves the JAB and Agencies, and OMB aims to help the FedRAMP Board determine priorities and understand implications. Michelle then opened the floor for questions.
The participants discussed various important areas for the future FedRAMP Board to focus on in relation to FedRAMP. These areas included: allowing agencies faster access to increase scalability, reducing duplicative processes and lack of trust between agencies, modernizing security controls for the FedRAMP process, considering the evolving nature of the threat landscape, unifying disparate policy areas under one roof, expanding Open Security Controls Assessment Language (OSCAL) and investing in it, protecting data and monitoring it across authorization boundaries, addressing the challenges of increasing the FedRAMP Board’s size, improving efficiency through SLAs and triaging new controls, evaluating the sufficiency of NIST controls for artificial intelligent (AI) systems, clarifying and tightening controls for SaaS adoption, revisiting and making FedRAMP authorization more specific, incorporating essential shared security solutions, streamlining the authorization process, providing more frequent guidance updates, exploring tiering and customization for changes, addressing redundancy and delays in the authorization process, accommodating agency exceptions and low-impact SaaS solutions, seeking reciprocity and exploring the role of third parties, and creating opportunities for small businesses and faster testing of their products.
Michelle White, FSCAC DFO, opened the meeting by asking members to discuss their prioritization of initiatives. Members considered various factors, such as the order in which to tackle the initiatives and the next steps to make recommendations to the GSA Administrator. They suggested various areas of focus, like exploring market expansion, broadening the operational security focus with cloud service providers, and considering the role of Cyber Security Infrastructure Agency (CISA) beyond incident response. They also stressed the importance of starting with a small deliverable and building upon it. The need for automation, particularly in authorizations and continuous monitoring, is discussed due to its potential to save time and costs.
The members also discussed topics they would like to hear more about in future meetings, including insights from the Cloud Security Alliance and a threat-based monitoring approach. Potential next steps were mentioned, to include reviewing Governance and Risk Compliance (GRC) tools and exploring reciprocity requirements and CSP interactions. The timing of providing the compiled data and recommendations to the GSA Administrator were addressed, with the frequency of committee meetings determining the communication frequency.
The members requested access to existing documentation about the FedRAMP program, its issues, and where FedRAMP believes there is room for improvement, and expressed their interest in expanding on the federated authority to operate (ATO) concept and assisting with automation.
Michelle White opened the discussion up to the public to share their comments, with each person having three minutes to speak.
Gaurav Pal from StackArmor, Inc. suggests a study to show the costs and savings of having an ATO with FedRAMP versus without and combining economic programs.
Tom Ruff from Deep Water Point and Associates urges the committee to help small businesses find sponsors and make the FedRAMP process less intimidating.
Matt Topper from UBERETHER, INC believes FedRAMP certification would make an immense difference in their process.
Teri Marlene Prince, CEO of Terida, a small business trying to achieve FedRAMP certification, highlights the cost and timeline difficulties of the process.
Ann Lewis notes that the committee members are not entirely aligned on the top priority yet, but future meetings should help to determine it. She thanked the members for their thoughtful contributions and looks forward to working with them. The work done by the committee will benefit both cloud service providers and public-private partnerships. Matt Scholl inquires about where they will meet in the future, and Michelle White suggests meeting remotely but leaves it open for discussion. Marci Womack asks about the TBD slot on the committee, and Ann Lewis explains that they are still in the process of making a member selection.
Michelle White, FSCAC DFO, adjourned the meeting at 3:22pm.
Error, The Per Diem API is not responding. Please try again later.
No results could be found for the location you've entered.
Rates for Alaska, Hawaii, and U.S. territories and possessions are set by the Department of Defense.
Rates for foreign countries are set by the Department of State.
Rates are available between 10/1/2022 and 09/30/2025.
The End Date of your trip can not occur before the Start Date.
Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.
Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."
Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."
When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.
U.S. General Services Administration