The Senate Homeland Security and Governmental Affairs committee passed an amended version of the Federal Secure Cloud and Jobs Improvement Act Wednesday, moving lawmakers one step closer to codifying the government’s primary program for approving secure cloud projects into U.S. law.
The Federal Secure Cloud and Jobs Improvement Act, sponsored by four members of the committee (Chair Gary Peters, D-Mich., along with Sens. Maggie Hassan, D-N.H., Steve Daines, R-Mont., and Josh Hawley, R-Miss.) passed unanimously after members adopted an amendment from Sen. Jon Ossoff, D-Ga., that would require a review of FedRAMP’s security posture.
The review would require FedRAMP to examine its security posture and consider a number of new potential measures, including whether there should be geolocation restrictions on contractor products and services, encryption mandates for the data they process, store or transmit, the disclosure for any “foreign elements” in the supply chain of acquired cloud technologies and the continued disclosure of foreign ownership stakes in cloud vendors who do business with the government.
Following the hearing, Ossoff told SC Media in addition to addressing concerns raised by ranking Republican Rob Portman last month about the lack of any language in the bill explicitly preventing cloud vendors from outsourcing parts of their code development to countries like Russia and China, the amendment would also give Congress greater visibility into supply chain threats to federal cloud assets from malicious hackers and foreign intelligence agencies.
“I’m glad we took the time to get this legislation right…I believe our substitute amendment is a good step forward toward addressing these issues and improving the security of cloud systems in the federal government more generally,” Portman said before voting for the amended bill.
Following the hearing, Peters told SC Media that the committee will also look into whether the FedRAMP office has the necessary personnel to better support the needs of federal agencies.
“The resource issue is part of what we’re working on. We’ve got to get this bill passed and we’ll be discussing…what potential resource needs are necessary,” he said.
A companion version of the main bill has already passed the House. In addition to codifying the program, it would update certain aspects of the FedRAMP program, establish a new Federal Secure Cloud Advisory Committee, lay the groundwork for greater automation and set up a framework to continuously monitor cloud assets for cybersecurity threats.
The program is considered vital for a federal government that has prioritized cloud adoption but has historically faced criticism from other agencies and vendors that the authorization process moves too slowly, though its adherents point out that in recent years the program has doubled the number of authorized cloud providers that had been re-used by other agencies more than 2,000 times.
“When you consider FedRAMP and the time and cost, I ask that we take time to look at policy versus fact, experience versus inexperience and really get down to the meat of why these sometimes take so long…and what part of that is on the [provider] and what part of that is on the program,” said Steve Kovac, chief compliance officer and head of global affairs at Zscaler at a roundtable Senate hearing on FedRAMP last month. “I think there’s been improvement in those areas, but there’s definitely been drastic improvement since I’ve been part of this program over the past 10 years.”
In a conversation with SC Media last month, Brian Conrad, who leads the FedRAMP program at the General Services Administration, said the program has more than tripled the number of kickoff meetings it has held with vendors and agencies over the same period last fiscal year — from 11 to 37 — in an effort to reduce the number of revisions that need to be made before authorizing a package.
He pointed to a number of factors that contribute to some of these frustrations, including the need for rigorous security evaluation, the quality of the initial applications submitted by agencies and vendors and ensuring that the same products and services can be safely used across different departments and agencies.
“It’s a collaborative effort to protect federal information. Everybody has their role, the [assessors] are doing validation, the cloud service providers are implementing controls, the agencies are doing assessments and accepting risk and the FedRAMP [program office] is making sure it’s all tied together in a neat bow,” Conrad told SC Media.