Lawmakers on the Senate Homeland Security and Governmental Affairs Committee plan to update pending legislation codifying the federal government’s top cloud security certification program to account for global risks in the software supply chain.
In a roundtable hearing Tuesday, committee chair Gary Peters, D-Mich., said his staff is working to add a provision to the Federal Secure Cloud Improvement and Jobs Act that would require the General Services Administration and the FedRAMP cloud authorization program to assess the geographic provenance of software code that is developed for cloud products and services used by federal agencies.
The changes are being made at the behest of ranking Republican Rob Portman, R-Ohio, who did not co-sponsor the bill and expressed concerns that current language could leave federal cloud systems reliant on software code outsourced to engineers in China or other geopolitical rivals and create openings for foreign governments to exploit or compromise U.S. cloud assets.
The new provision put forward by Portman would give GSA both the authority and requirement to review “the sufficiency of underlying standards and requirements to identify and assess the provenance of the software in cloud services and products in the FedRAMP program.”
“The current program has some weaknesses in it … that have left it vulnerable to foreign-backed hackers targeting cloud systems — that would include China, that would include Russia,” Portman said. “Right now, we do not have sufficient safeguards in place to identify and prevent foreign interference in our cloud system and I believe that must change before we codify this program.”
Later in the hearing, Peters said his staff is “working on changing this language right now” to include the requirement.
The FedRAMP program is responsible for certifying secure cloud products and services for much of the civilian federal government. As agencies have been pressed to move their systems and assets to the cloud over the past decade, and nation-state hacking groups have increasingly targeted cloud service providers, the program has become an important component of federal cybersecurity.
In more recent years, national security officials have started paying closer attention to the risks posed by software or hardware that is produced in other countries and could potentially be taken advantage of by foreign governments or malicious hackers. The SolarWinds compromise demonstrated the effectiveness of corrupting a software update, while the Kaseya ransomware attack underlined the broad impact and value of targeting the software of cloud service providers to compromise their customers.
While testifying to the committee, Chain Security CEO Jeff Stern said his company had passed along a number of “observations” to FedRAMP officials in 2019 about potential gaps in their processes that do not seem to assess where cloud software is developed geographically or require vendors to disclose to the government how they outsourced software development to the federal government.
“Our recommendation: you may not be able to stop this because of the global supply chain, but at the very least the buyer or user at [the Department of Defense] or [Department of Homeland Security] or wherever should be able to know how much of the code was written overseas and what percentage was written overseas,” Stern asserted.
Ashley Mahan, acting assistant commissioner for the technology transformation services at GSA where FedRAMP is implemented, said the agency had incorporated some of Stern’s initial suggestions and is working with the National Institute for Standards and Technology to develop new security controls focused on the cloud supply chain.
"I do think that this is an area that is continuing to evolve daily and from a program standpoint, we’re committed to evolve with it,” Mahan told lawmakers. In terms of geolocation for the government’s most sensitive unclassified data … there are geolocation restrictions to U.S. and territories with U.S. jurisdiction.”
A companion version of the Federal Secure Cloud Improvement and Jobs Act without the new language has already passed the House and was recently inserted as an amendment into the pending annual defense authorization bill.