An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
( )
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
September 12, 2024 from 12:00 p.m. to 4:00 p.m. Eastern time
Location: Zoom
|
ALLOTTED TIME |
TOPIC |
PRESENTER |
|---|---|---|
| 12-12:10 p.m. | Call to order Welcome and roll call FACA public meetings |
Designated Federal Officer Michelle White |
| 12:10-12:25 p.m. | Public comment (limit of three minutes per speaker) | Members of the public |
| 12:25-12:30 p.m. | Chair remarks | FSCAC Chair Larry Hale |
| 12:30-12:45 p.m. | Presentation: FedRAMP Memo | Representatives from FedRAMP and the Office of Management and Budget |
| 12:45-1:15 p.m. | Committee question-and-answer | FSCAC members, FedRAMP representative(s), and OMB representatives |
| 1:15-1:30 p.m. | Break | |
| 1:30-2:30 p.m. | Panel discussion: Industry |
Jim McCartney, Global Telehealth Services; |
| 2:30-3:30 p.m. | Panel discussion: Agency Liaisons |
Ralph Jones, Department of the Treasury; David Meyer, Department of Education; Susan Schultz Searcy, Pension Benefit Guaranty Corporation; and FSCAC members |
| 3:30-4 p.m. | Key takeaways, closing remarks, and adjourn | FSCAC Chair Larry Hale and DFO Michelle White |
Michelle White introduced the purpose of the meeting and FSCAC. She welcomed members of the public attending & thanked those who left public comments. A quorum was established. Michelle welcomed the speakers for today. Michelle reviewed the purpose, outcomes & agenda for the meeting.
Roll call:
Public comments were provided by three individuals during the meeting.
Teri Prince from Terida criticized the FedRAMP approval process as overly bureaucratic and dominated by large contractors, but noted recent positive changes allowing for more organizations to participate without needing an invitation. Terida aims to certify over 1,000 organizations this month.
Colin Whitlatch from Kahua emphasized the need for stricter enforcement of FedRAMP-authorized systems by agencies to prevent security gaps and inefficiencies, as unauthorized systems create significant vulnerabilities.
Susan Schultz Searcy from the Pension Benefit Guaranty Corporation (PBGC) highlighted the challenge faced by CSPs in procuring Third-Party Assessment Organizations (3PAOs), as they are often too overwhelmed with existing work to take on new projects.
Larry Hale opened the meeting with a concise recap of the previous FSCAC session, reaffirming the committee’s commitment to two key priorities for the year. He outlined today’s agenda, which would center on analyzing the impact of the OMB FedRAMP memo released on August 1, 2024, and gathering insights from stakeholders on their experiences with the FedRAMP authorization process. He stated today’s discussions were critical for shaping the committee’s recommendations in an upcoming report to the Administrator. Larry also introduced Pete Waterman, the new FedRAMP Director, who delivered an engaging introduction. Pete underscored the urgent need for enhanced technical communication and collaboration within the FedRAMP community. He pointed out the complexities of navigating compliance and the contrasting expectations between government and private sector operations. Pete called on the committee to concentrate on developing practical, actionable recommendations that can drive meaningful improvements across the entire community.
Laura discussed OMB Memo M-24-10’s efforts to modernize FedRAMP by improving customer experience, transparency, security, and cost efficiency. The memo introduces streamlined authorization paths for CSPs and agencies, including new single, multi-agency, and program authorizations, and promotes automation with digital packages using OSCAL, which agencies must adopt within two years.
Pete Waterman outlined FedRAMP’s response, highlighting preparations to implement the memo’s directives, developing new authorization paths, increasing technical capacity, and launching an agile delivery pilot. He stressed the complexity of these changes and the need for ongoing communication and community engagement.
Bill Hunt expressed high confidence in Pete’s new role and praised the improvements in the new memo, particularly regarding automation and public feedback. He criticized the memo’s narrow exceptions process, which he believes disadvantages small businesses and agencies by making it difficult to bypass the FedRAMP process. Laura acknowledged the concerns and explained that the memo includes provisions for temporary authorizations and the FedRAMP tailored process to address small business needs but recognized the exemptions may still be too restrictive. Kayla Underkoffler and Matt Scholl raised additional concerns about the scope of low impact systems and the need for clearer guidance on security assessments, particularly Red Teaming. The discussion concluded with a commitment to ongoing partnership and clarity to improve the implementation of FedRAMP processes.
The panel discussion highlighted various challenges and insights regarding the FedRAMP process. Jim shared his experience of navigating FedRAMP during and post-pandemic, noting issues like lengthy approval times and inconsistent guidance, which led to delays and additional assessments.
Brian described his struggles with misalignment between 3PAOs and PMO expectations, highlighting a disconnect in how findings were assessed and communicated.
Tom, representing ATARC, emphasized the need for improved resources and streamlined processes, suggesting that the cost and complexity of FedRAMP often lead to high turnover among teams working on these assessments.
The discussion also touched on the necessity of maintaining high standards and compliance while addressing inefficiencies in the 3PAO system as well as the need for better guidance and incentives for small businesses. Overall, the panel advocated for more centralized and consistent oversight, clearer guidance, and additional support to improve the FedRAMP process and make it more accessible and efficient for all stakeholders.
Ralph shared that the Treasury has had a positive experience with FedRAMP since its inception in 2011, noting the PMO’s responsiveness and the program’s ability to instill confidence in CSPs meeting NIST controls. However, he highlighted challenges with Customer Responsibilities (CRs) and ConMon, suggesting that streamlining the CR process and improving consistency in ConMon reporting could be beneficial.
Susan echoed appreciation for FedRAMP’s guidance and collaboration but mentioned issues with outdated information in the FedRAMP portal and manual processes for access forms.
David, with experience across various roles, observed that while FedRAMP’s standardization is effective, there are pain points like the backlog of package reviews and challenges with ConMon across multiple agencies. He also noted issues with CSPs’ adoption of OSCAL and the need for better guidance from FedRAMP.
Josh Cohen inquired about the impact of market saturation on CSPs and acquisition decisions, with Sue explaining that her agency’s technical review board requires strong justification for new products if similar ones already exist.
Larry thanked the panelists and the committee for their participation today and noted several key takeaways from the FedRAMP memo, industry panel, and agency panel agenda items. Matt, Kayla, and Bo also provided several takeaways from both panel sessions, including opportunities for consistency improvements in FedRAMP guidance and further clarification needed around Red Teaming requirements.
Larry thanked the committee and speakers again and expressed that he is looking forward to continuing the discussion. Michelle White adjourned the meeting at 3:23p ET.
Error, The Per Diem API is not responding. Please try again later.
No results could be found for the location you've entered.
Rates for Alaska, Hawaii, and U.S. territories and possessions are set by the Department of Defense.
Rates for foreign countries are set by the Department of State.
Rates are available between 10/1/2022 and 09/30/2025.
The End Date of your trip can not occur before the Start Date.
Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.
Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."
Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."
When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.
U.S. General Services Administration