September 12, 2024 from 12:00 p.m. to 4:00 p.m. Eastern time
Location: Zoom
Agenda
|
ALLOTTED TIME
|
TOPIC
|
PRESENTER
|
| 12-12:10 p.m. |
Call to order
Welcome and roll call
FACA public meetings |
Designated Federal Officer Michelle White
|
| 12:10-12:25 p.m. |
Public comment (limit of three minutes per speaker) |
Members of the public |
| 12:25-12:30 p.m. |
Chair remarks |
FSCAC Chair Larry Hale |
| 12:30-12:45 p.m. |
Presentation: FedRAMP Memo |
Representatives from FedRAMP and the Office of Management and Budget |
| 12:45-1:15 p.m. |
Committee question-and-answer |
FSCAC members, FedRAMP representative(s), and OMB representatives |
| 1:15-1:30 p.m. |
Break |
|
| 1:30-2:30 p.m. |
Panel discussion: Industry |
Jim McCartney, Global Telehealth Services;
Brian DaSilva, Mark43; Tom Suder, Advanced Technology Academic Research Center; and FSCAC members
|
| 2:30-3:30 p.m. |
Panel discussion: Agency Liaisons |
Ralph Jones, Department of the Treasury; David Meyer, Department of Education; Susan Schultz Searcy, Pension Benefit Guaranty Corporation; and FSCAC members
|
| 3:30-4 p.m. |
Key takeaways, closing remarks, and adjourn |
FSCAC Chair Larry Hale and DFO Michelle White |
Call to order
Michelle White, FSCAC Designated Federal Officer
Michelle White introduced the purpose of the meeting and FSCAC. She welcomed members of the public attending & thanked those who left public comments. A quorum was established. Michelle welcomed the speakers for today. Michelle reviewed the purpose, outcomes & agenda for the meeting.
Roll call:
- Larry Hale – Present
- Mike Vacirca – Present
- Carlton Harris – Present
- Kayla Underkoffler – Present
- Josh Krueger –Not Present
- Daniel Pane – Present
- Marci Womack – Present
- Branko Bokan – Present
- Matt Scholl – Present
- Bo Berlas – Present
- La Monte Yarborough – Present
- Nauman Ansari – Present
- Jackie Snouffer – Not Present
- Bill Hunt – Present
- Joshua Cohen – Present
Public comment
Members of the public
Public comments were provided by three individuals during the meeting.
Teri Prince from Terida criticized the FedRAMP approval process as overly bureaucratic and dominated by large contractors, but noted recent positive changes allowing for more organizations to participate without needing an invitation. Terida aims to certify over 1,000 organizations this month.
Colin Whitlatch from Kahua emphasized the need for stricter enforcement of FedRAMP-authorized systems by agencies to prevent security gaps and inefficiencies, as unauthorized systems create significant vulnerabilities.
Susan Schultz Searcy from the Pension Benefit Guaranty Corporation (PBGC) highlighted the challenge faced by CSPs in procuring Third-Party Assessment Organizations (3PAOs), as they are often too overwhelmed with existing work to take on new projects.
Chair remarks
Larry Hale, FSCAC Chair
Larry Hale opened the meeting with a concise recap of the previous FSCAC session, reaffirming the committee’s commitment to two key priorities for the year. He outlined today’s agenda, which would center on analyzing the impact of the OMB FedRAMP memo released on August 1, 2024, and gathering insights from stakeholders on their experiences with the FedRAMP authorization process. He stated today’s discussions were critical for shaping the committee’s recommendations in an upcoming report to the Administrator. Larry also introduced Pete Waterman, the new FedRAMP Director, who delivered an engaging introduction. Pete underscored the urgent need for enhanced technical communication and collaboration within the FedRAMP community. He pointed out the complexities of navigating compliance and the contrasting expectations between government and private sector operations. Pete called on the committee to concentrate on developing practical, actionable recommendations that can drive meaningful improvements across the entire community.
Presentation on FedRAMP memo
Ashley Mahan, Policy Analyst at the Office of Management and Budget; Laura Gerhardt, Director of Technology Modernization & Data at OMB; and Pete Waterman, FedRAMP Director
Laura discussed OMB Memo M-24-10’s efforts to modernize FedRAMP by improving customer experience, transparency, security, and cost efficiency. The memo introduces streamlined authorization paths for CSPs and agencies, including new single, multi-agency, and program authorizations, and promotes automation with digital packages using OSCAL, which agencies must adopt within two years.
Pete Waterman outlined FedRAMP’s response, highlighting preparations to implement the memo’s directives, developing new authorization paths, increasing technical capacity, and launching an agile delivery pilot. He stressed the complexity of these changes and the need for ongoing communication and community engagement.
Committee Q & A
Ashley Mahan, Policy Analyst at OMB; Laura Gerhardt, Director of Technology Modernization & Data at OMB; Pete Waterman, FedRAMP Director; and FSCAC Membership
Bill Hunt expressed high confidence in Pete’s new role and praised the improvements in the new memo, particularly regarding automation and public feedback. He criticized the memo’s narrow exceptions process, which he believes disadvantages small businesses and agencies by making it difficult to bypass the FedRAMP process. Laura acknowledged the concerns and explained that the memo includes provisions for temporary authorizations and the FedRAMP tailored process to address small business needs but recognized the exemptions may still be too restrictive. Kayla Underkoffler and Matt Scholl raised additional concerns about the scope of low impact systems and the need for clearer guidance on security assessments, particularly Red Teaming. The discussion concluded with a commitment to ongoing partnership and clarity to improve the implementation of FedRAMP processes.
Industry panel discussion
Jim McCartney, Global Telehealth Services; Brian DaSilva, Mark43; Tom Suder, Advanced Technology Academic Research Center (ATARC); and FSCAC Membership
The panel discussion highlighted various challenges and insights regarding the FedRAMP process. Jim shared his experience of navigating FedRAMP during and post-pandemic, noting issues like lengthy approval times and inconsistent guidance, which led to delays and additional assessments.
Brian described his struggles with misalignment between 3PAOs and PMO expectations, highlighting a disconnect in how findings were assessed and communicated.
Tom, representing ATARC, emphasized the need for improved resources and streamlined processes, suggesting that the cost and complexity of FedRAMP often lead to high turnover among teams working on these assessments.
The discussion also touched on the necessity of maintaining high standards and compliance while addressing inefficiencies in the 3PAO system as well as the need for better guidance and incentives for small businesses. Overall, the panel advocated for more centralized and consistent oversight, clearer guidance, and additional support to improve the FedRAMP process and make it more accessible and efficient for all stakeholders.
Agency liaisons panel discussion
Ralph Jones, Department of the Treasury; David Meyer, Department of Education; Susan Schultz Searcy, Pension Benefit Guaranty Corporation; and FSCAC Membership
Ralph shared that the Treasury has had a positive experience with FedRAMP since its inception in 2011, noting the PMO’s responsiveness and the program’s ability to instill confidence in CSPs meeting NIST controls. However, he highlighted challenges with Customer Responsibilities (CRs) and ConMon, suggesting that streamlining the CR process and improving consistency in ConMon reporting could be beneficial.
Susan echoed appreciation for FedRAMP’s guidance and collaboration but mentioned issues with outdated information in the FedRAMP portal and manual processes for access forms.
David, with experience across various roles, observed that while FedRAMP’s standardization is effective, there are pain points like the backlog of package reviews and challenges with ConMon across multiple agencies. He also noted issues with CSPs’ adoption of OSCAL and the need for better guidance from FedRAMP.
Josh Cohen inquired about the impact of market saturation on CSPs and acquisition decisions, with Sue explaining that her agency’s technical review board requires strong justification for new products if similar ones already exist.
Key Takeaways, Closing Remarks & Adjournment
Larry Hale, FSCAC Chair, and Michelle White, FSCAC DFO
Larry thanked the panelists and the committee for their participation today and noted several key takeaways from the FedRAMP memo, industry panel, and agency panel agenda items. Matt, Kayla, and Bo also provided several takeaways from both panel sessions, including opportunities for consistency improvements in FedRAMP guidance and further clarification needed around Red Teaming requirements.
Larry thanked the committee and speakers again and expressed that he is looking forward to continuing the discussion. Michelle White adjourned the meeting at 3:23p ET.
Committee members in attendance
- Larry Hale (Chair)
- Mike Vacirca
- Carlton Harris
- Kayla Underkoffler
- Daniel Pane
- Marci Womack
- Branko Bokan
- Matt Scholl
- Bo Berlas
- La Monte Yarborough
- Nauman Ansari
- Bill Hunt
- Joshua Cohen
Committee members absent
- Josh Krueger
- Jackie Snouffer
- Guest Speakers and Presenters
- Pete Waterman, FedRAMP
- Laura Gerhardt, Office of Management and Budget
- Ashley Mahan, Office of Management and Budget
- Jim McCartney, Global Telehealth Services
- Brian DaSilva, Mark43
- Tom Suder, Advantage Technology Academic Research Center
- Ralph Jones, Department of the Treasury
- David Meyer, Department of Education
- Susan Schultz Searcy, Pension Benefit Guaranty Corporation
GSA staff present
- Michelle White, Designated Federal Officer
- D’Arcy Steiner, FSCAC Support Team
- Theresa West, FSCAC Support Team
- Clifton Johnson, FSCAC Support Team
- Taylor Juneau, FSCAC Support Team
- Megan Gallo, FSCAC Support Team
- Jake Ahearn, FSCAC Support Team
- David Waltermire, FedRAMP
- MacKenzie Robertson, GSA
- Bridget Dorward, FedRAMP
- Kylie Hunter, GSA
Members of the public present
- Elyse Grubb
- Annabelle Thompson, Captioner
- Robert Cringely, Terida
- Madison Cevallos, Gordian
- Teri Marlene Prince, Terida
- Jamie Leupold, Preveil
- Marcel Estevez
- Christian Baer, Schellman
- Meghan Guiney, Project Hosts
- Ajay Chandhok, Stratus Cyber
- Marie Drescher, PBGC
- Lynda Dunkwu, Fortreum
- Christine Biggs, Coalfire
- Scott Beauregard, Acadis
- Josh Blaher, Red Hat
- Lincoln Neely, Beryllium Infosec
- Derek White, Beryllium Infosec
- Jeff Baldwin, Beryllium Infosec
- Sharon Martin, Managed Nerds
- Wesley Callahan, DRT Strategies
- Michelle Vuolo, Tulip
- Colin Whitlatch, Kahua
- Collin Davenport, U.S. House of Representatives
- Daniel Sardinia
- Zoe Wai, NASA
- Jill Smith
- Jessica Salmoiraghi, BSA
- Ted Harwood, Move Works
- Dani Hillmer, Sentinel One
- Susan Ebner, Stinson
U.S. General Services Administration