Federal Secure Cloud Advisory Committee August 14, 2025 public meeting agenda and minutes

August 14, 2025 Open Public Meeting Agenda

Welcome & call to order (1:30-1:40 p.m.)

Ryan Hoesing, FSCAC designated federal officer

Summary:

Role of the DFO / purpose of the meeting

Ryan Hoesing introduced himself as the new DFO, called the meeting to order, welcomed attendees, and confirmed the meeting was being conducted under Federal Advisory Committee Act requirements. He introduced the meeting’s focus on Plan of Action and Milestones (POA&Ms) and whether the current model remains fit for purpose in today’s dynamic cloud environments. Ryan went through the meeting’s roll call and a quorum was established.

Roll call:

• Larry Hale – Present
• Michael Weirica – Not Present
• Carlton Harris – Present
• Josh Krueger – Present
• Daniel Pane – Present
• Branko Bokan – Present
• Victoria Pillitteri – Present
• La Monte Yarborough – Not Present
• Jacqueline Snouffer – Present
• Bill Hunt – Present
• Adam Schneider – Present
• Patrick Breen – Present
• Rex Booth – Present

Objectives and framing

The DFO shared the full agenda with the committee and the purpose of the day was framed as follows:

• Provide actionable input to modernize the FedRAMP POA&M process.
• Ensure the process reflects current cloud security realities.
• Address the needs of federal agencies, cloud providers, and assessors alike.

Key goals outlined for the meeting included:

• Identifying pain points with the current POA&M structure.
• Exploring inefficiencies and security gaps introduced by the legacy POA&M model.
• Recognizing elements of the current model worth preserving.
• Drafting early principles to shape formal Committee recommendations.

Procedural notes

Ryan also covered virtual meeting etiquette:

• Use of the “Raise Hand” function to speak.
• Request to state names when speaking.
• Reminder to remain on mute when not speaking.

Public comment (1:40-2:00 p.m.)

Members of the public

During the public comment session, three stakeholders raised concerns about the POA&M process:

Nicolas Colarossi (SAP) highlighted misalignment between how cloud service providers internally assess risk and government expectations for POA&M submissions. He noted that different agencies have varying expectations for POA&Ms, with some expecting monthly status updates on all items regardless of necessity. He emphasized the excessive scope of documentation requirements, suggesting the process would be more effective if oriented toward project-based scenarios rather than routine vulnerability tracking.

Ralph Jones (Department of Treasury) expressed support for proposed POA&M process changes and suggested focusing less on detailed vulnerabilities and more on systemic trends. He advocated for reviewing how CSPs address issues over time through projects rather than tracking individual vulnerabilities.

Matthew Smagin (PBGC) raised questions about vendor dependency and operational requirements tracking in POA&Ms, noting confusion about whether these items require ongoing remediation efforts or can remain static.

Chair remarks (2:00-2:05 p.m.)

Larry Hale, FSCAC chair

Larry Hale opened by reinforcing the committee’s purpose to provide actionable advice to improve FedRAMP for all stakeholders. He acknowledged the meaningful progress across FedRAMP since the last meeting, including new authorization pilots and policy modernization efforts. He emphasized that today’s focused discussion on POA&Ms aimed to tackle key questions about where the current model works, where it falls short, and what a modern cloud-smart approach would look like.

Deliberations: Initial discovery; pain points and security gaps (2:05-3:00 p.m.)

FSCAC membership

The following questions were shared with the committee members in advance of the meeting:

1. What challenges do agencies or CSPs face under the current POA&M structure?
2. What are the security gaps and increased risks (including missed opportunities) that result from the current model?
3. What are some of the benefits of the current model?
4. What would a new set of POA&M requirements for FedRAMP that addresses the major pain points, and gaps while maintaining or increasing the benefits of such a process for all parties look like?

Committee members identified several critical pain points with the current POA&M structure, including concerns that the scope has created confusion about its purpose and the conflation of continuous monitoring with the original treatment of all high-risk items, regardless of exploitability, was also noted, leading to inefficient resource allocation and excessive time spent on documentation rather than remediation. The POA&M process was characterized as an expensive compliance exercise with minimal value, largely widely accepted standard and burdened by varying requirements. There was an emphasis on the need for automation in reporting weaknesses and a focus on externally-facing vulnerabilities, rather than an overload of information. Additionally, the committee discussed tactical issues such as template ambiguity, excess data collection, and the potential for costs to be passed on to taxpayers without clear reduction in risk.

The committee also addressed security gaps resulting from the current POA&M model, including the diversion of critical security resources to lower-value vulnerabilities and ineffective risk management due to CVSS-driven models. Concerns were raised about outdated information, even with monthly cycles, and the limited visibility agencies have into overall security posture beyond vulnerability counts. The lack of continuous visibility, relying heavily on CSPs to interpret and document scan results without automated validation, was another key concern. Furthermore, the inability to accept residual risk, as outlined in NIST SP 800-37, was viewed as unnecessarily complicating the process. Despite these gaps, members acknowledged that when properly implemented, POA&Ms can provide consistent risk tracking, serve as a compliance enforcement mechanism, and offer a structured record for authorization contingencies.

Deliberations: Recommendations for improvement (3:10-4:00 p.m.)

FSCAC membership

Based on the discussion, several key recommendations emerged for improving the POA&M process. The committee advocated for clearly defining what agencies need to see in terms of risk, enabling flexibility in how CSPs share that information. This included redefining or providing clarity to the data dictionary or schema, and addressing the current struggle to align agency understanding and expectations. A major recommendation was to decouple continuous monitoring (ConMon) from POA&Ms, focusing POA&Ms on project-based risks with extended timelines, and giving agencies the ability to track potential security risks more regularly through ConMon.

Automation and a shift away from static spreadsheets towards machine-readable, real-time tracking with dashboards were also prioritized, while recognizing the need to avoid a centralized collection point that removes internal flexibility for CSPs. Ultimately, the recommendations aimed to shift the focus from raw vulnerability counts to systemic risk trends and exploitable vulnerabilities, aligning the POA&M purpose

towards risk management rather than pure compliance, and improving transparency and communication by clarifying the intended purpose of POA&Ms and better communicating residual risk acceptance.

Pete Waterman, FedRAMP director

The Chair opened the floor to Pete Waterman, FedRAMP Director, to share FedRAMP’s strategy regarding the release of updated guidance and standards as it pertains to POA&Ms. Pete indicated his willingness to wait for the committee to convene again and vote on formal recommendations that would be submitted to the GSA Administrator in September or if the committee was comfortable with FedRAMP moving forward with releasing guidance as an open to public comment period based on the discussions and deliberations shared in today’s FSCAC meeting. The committee encouraged Pete to move forward with updates based on today’s comments without any objections.

Next steps, closing remarks & adjournment (4:00 p.m.)

Larry Hale, FSCAC chair

Larry thanked the committee for their participation today, and the Committee noted several next steps based on the day’s conversation. FedRAMP will move forward with an open request for comment on updates to the POA&M process and the committee will use one of the next meetings to solidify their recommendations on POA&Ms to the GSA Administrator. Larry thanked the committee and speakers again and expressed that he is looking forward to continuing the discussion.

Certification of chair

I hereby certify that, to the best of my knowledge, the foregoing minutes of the proceedings are accurate and complete.

Digitally Signed by Lawrence Hale

Date 8/20/2025

Appendix A

Committee members in attendance

Larry Hale (Chair)

Carlton Harris

Josh Krueger

Daniel Pane

Branko Bokan

Victoria Pillitteri

Jacqueline Snouffer

Bill Hunt

Adam Schneider

Patrick Breen

Rex Booth

Committee members absent

Michael Vacirca

La Monte Yarborough

FSCAC staff present

Ryan Hoesing, Designated Federal Officer

Additional speakers present

Pete Waterman, FedRAMP Director

GSA staff present

Marcia Simms, GSA

John Hamilton, GSA

Kylie Hunter, GSA

Bryan Pablo, GSA

Elisha Crow, GSA

Tara Dunlop Jackson, GSA

Paul Agosta, GSA

Members of the public present