FSCAC Public Comments
CreatedLast NameFirst NameAgency/OrganizationEmail AddressPublic Comment
 Collaboration powered by Smartsheet   |   Report Abuse
103/28/24 2:56 PM
Ann MarieLone Rock Point (working with WordPress VIP)akeim1@yahoo.comComment regarding issues with specific controls:

FedRAMP adding the Red Team Exercise to the moderate baseline has caused an undue burden on small CSPs. Costs from 3PAOs are ranging from $30-$90k for this exercise ON TOP of the required pen test. Add that to the $255k for an annual assessment and we're close to half a million for an ANNUAL assessment!!
203/28/24 2:54 PM
Ann MarieLone Rock Point (working with WordPress VIP)akeim1@yahoo.comA comment about cost of authorization...
An RFP for an annual assessment including new rev 5 controls, FedRAMP core and 1/3 of remaining controls (~200 controls) was put out.
4 responses came in, all within $10 of each other: $245-255k!!! That is a HUGE hit for a small CSP that was budgeting $150k based on the cost of the initial assessment.
303/12/24 1:10 PM
JimKratosjim.neidich@kratosdefense.comI've been asked to participate from the 3PAO community.
409/29/23 11:45 AM
GayleBerkeley Group, LLCgayle@theberkeleys.comAs a serial FedRAMP sherpa for Cloud Service Providers, I have observed in multiple organizations that aside from bearing the costs associated with implementing FedRAMP, Agency Partnership is one of the most challenging barriers to Authorization. Agencies find it overly burdensome to review thousands of pages of material and technical diagrams to issue ATO Letters, then they must manage ongoing ConMon activity, and they spend too much time post ATO dealing with evaluation of system changes that may not impact them in any way. Multiply Agency partnership by two, three, four, or five partnerships and the burden on CSPs to work with multiple individual Agencies is burdensome as well (although a nice problem to have.)

To increase the government’s adoption of secure cloud services, the Authorization process should move towards a new model that reduces or removes friction where possible for both Agencies and CSPs. Some suggestions:

- An Authorization “JAB-light” should be available to all CSPs so the government can remove the Agency Partnership requirement. This would resolve a significant barrier to bringing secure cloud solutions to market for government.

- Removing the Agency Partnership requirement would also eliminate significant friction for government adoption of secure cloud solutions. Agencies would still perform their required A&A procedures and obtain assistance from CSPs as needed to perform this work, but without the added layers of FedRAMP-specific procedural requirements and time commitment.

- For CSPs, implementing a FedRAMP Security Baseline and having the service offering’s posture fully validated at least annually by a qualified 3PAO should lead more directly to FedRAMP Review, and barring any major concerns, FedRAMP Authorization and Marketplace listing.

- SaaS offerings (features and security posture) are supposed to change and evolve, and services need to be updated on a continual basis to improve both security and functionality. It shouldn’t require multiple layers of review, permission, and approval to make a change that delivers better functionality and value for adopters, provided security posture remains equivalent or better.

- A SaaS solution meeting FedRAMP requirements should be accepted for government use in general vs. tailored to the risk profile or requirements of any single (partnering) agency, which is another reason the Agency Partnership model and significant change processes create added cost and barriers. Treat SaaS more like COTS and it will alleviate both costs and barriers.

- The current backlog to review Authorization packages is a challenge for both CSPs wanting to offer and Agencies wanting to use secure cloud services. Anything that can be done to resolve that backlog and streamline the process to avoid backlogs will benefit all stakeholders.

- Finally, I want to take a minute to say thank you to the entire FedRAMP PMO team; they are a highly helpful, responsive, and service-minded group, and it is always a pleasure to work with them. They are among the finest our government employs.

Thank you for inviting public comment.
Gayle Berkeley
506/07/23 10:00 AM
TeriTERIDA LLCtprince@terida.comI am writing in respect of the information provided / discussed at the May 25th Federal Secure Cloud Advisory Committee (FSCAC) Meeting in which there was a great deal of discussion of small business and their difficulties funding the costs of FedRAMP.

TERIDA LLC is the smallest small business on the FedRAMP Marketplace – Our FedRAMP sponsor is the United States and we are facing huge costs for the upcoming 3PAO SAR Assessments, and huge costs for the tools and monitoring to maintain our FedRAMP stats. So far we have not found anyone or any program to cover these costs,

Would you provide me with any information that you have available re SBA assistance for FedRAMP expenses?

I had spoken with various financial institutions re SBA loans and they explained that this was not a purpose that they could support.
(Cybersecurity is not a fundable item for them.

I require an emergency loan – my understanding is that this is available to very small women-owned companies – please provide details.
I was also told about DoD / DBA Capital Funding Office and SBIC special purpose funds for these matters – please provide details as well.
Would it be possible to set up a meeting with the SBA rep on the FSAC, Federal Secure Cloud Advisory Committee? I believe his name is Nauman Ansari.
605/31/23 3:51 PM
SandeepADI Infocon LLCshilawat@gmail.comI was looking to join this committee as a founder and chair of WashingtonExec Cloud Council, Cloud COE member and also as member Cloud Acquisitions Forum. Also the smart sheet form mentioned you the committees website for public to join the meeting as open forum has expired. The next meeting is mentioned is meeting in past

In past I have spoken to Sonny Hashmi about it when he was keynote speaker at one of our Cloud Council meetings. Let me know if there is a way to join this forum

My brief bio attached herewith

Thank you
Sandeep Shilawat
705/18/23 12:00 PM
TomDeep Water Point and Associatestom.ruff@dwpassociates.comWith the recent mandate for which FedRAMP has now become law there will no doubt be an increase in the number of companies seeking FedRAMP accreditation . The increase will need to be handled via the Agency Sponsors yet the backlog of companies in FedRAMP Ready state continues to grow . What incentives can be put in place for Agencies / Government employees to take on more sponsorships ? Addtional accreditations drives innovations which makes our government / country more secure and competitive .
805/17/23 8:20 AM
JohnIT Acquisition Advisory Counciljohn.weiler@IT-AAC.orgAs one of the co-authors both of OMB's Cloud First and Cloud Smart policies, architect of FITARA, and the principal architect of DOD's Cloud Broker Framework, we at the IT-AAC see significant opportunities to accelerate IT Modernization and Digital Transformation across the Public Sector. We also have concerns with long standing barriers to innovation and change that continue to impede progress if not addressed;
1) Federal IT Workforce talent gaps that are leading to outsourcing of critical thinking and inherently governmental functions to large contractors with profit motives.
2) Limited access to emerging commercial best practices, lessons learned and innovations being driven out of Fortune500 and Silicon Valley. RFI and Market Reseach efforts are only reaching traditional suppliers.
3) Limited embrace of advanced portfolio management and application refactoring tools that are needed to make Cloud migration cost effective. Huge source of avoidable waste.
4) Unrestricted revolving door and influence peddling is undermining Fair and Open Competition as seen with JEDI Cloud and C2S. EO 14036 and FAR 9.5 need better enforcement.
5) Lack of enforcement of FAR Part 35 that should prohibit FFRDCs from unfairly competing with SMBs, and this too needs attention.
905/11/23 9:57 PM
GauravstackArmor, Incgpal@stackArmor.comI am very happy about the formation of the Federal Secure Cloud Advisory Committee (FSCAC) and for the opportunity to participate in the process to help improve and enhance the FedRAMP program.

I would like to offer that FSCAC, should consider ways to facilitate the availability of FedRAMP P-ATO sponsorships or to help make it easier to find Initiating Agencies for Commercial ISVs. The inability to find sponsors is a challenging problem for innovative commercial cloud service providers that discourages many participants from offering their solutions to the Federal cloud marketplace.

Also, the FSCAC should consider ways that Small Businesses could have a fast-track pathway for FedRAMP P-ATOs to allow for new and nimble solution providers to participate in the rapidly growing Federal cloud marketplace. Perhaps a collaboration between SBA and GSA while using existing financial incentive programs or loans could be used to pay for the initial preparation and assessment.

I appreciate the opportunity to participate in the FSCAC meeting and would be happy to be a resource to continue to assist based on my nearly decade plus of association with the FedRAMP program.

Very respectfully,
Gaurav Pal