| Created | Last Name | First Name | Agency/Organization | Email Address | Public Comment | ||||
| Collaboration powered by Smartsheet | Report Abuse | |||||||||
| 1 | 11/14/24 9:53 AM |
| Laura | Cloud Service Providers - Advisory Board (CSP-AB) | lnavaratnam@csp-ab.com | The FedRAMP roadmap aims to to “Increase the authorizing capacity of the FedRAMP ecosystem” in accordance with OMB M-24-15 Modernizing FedRAMP strategic goal to “Rapidly increase the size of the FedRAMP Marketplace…” One of the primary contributors to this goal will be the outcome of the Agile Delivery Pilot that looks to remove explicit FedRAMP approval for every change so long as a CSP demonstrates due diligence in their change management processes. However, only Federal Civilian agencies will benefit from the outcome of this goal if the challenge associated with reciprocity for IL4/5 when a Cloud Service Offering is approved for FedRAMP High+ isn’t addressed. Furthermore, the parity gap between FedRAMP Moderate environments and those hosting DoD workloads will continue to be exacerbated as Cloud Service Offerings are approved at a more rapid rate in FedRAMP Moderate environments vs. DoD IL4/5 environments. Currently, the CR process for DISA and the SCR process for FedRAMP have different lead times, process flows, and required approvals from various leaders within those organizations. This challenge does not exist for DoD IL2 workloads since IL2 authorization is automatically reciprocated with FedRAMP Moderate authorization. Is the FSCAC willing to make a recommendation to the GSA administrator to influence the DoD to integrate the IL4/5 approval workflow into the FedRAMP process so that IL4/5 authorization is reciprocated with FedRAMP High + authorization and ultimately the war fighter can benefit from the modernization efforts coming to FedRAMP? | |||
| 2 | 11/11/24 4:37 PM |
| Hazem | CSP-AB | heeldakd@csp-ab.com | The FedRAMP ConMon risk management deficiency triggers are designed to bring focus to Cloud Service Providers (CSPs) who are not performing adequate vulnerability management. For example, CSPs who have 5 or more unique vulnerabilities aged greater than 30 days will receive Detailed Finding Reviews (DFRs). The 5+ rule applies whether a CSP is managing a million+ or 100 host fleet. For example, the CSP who has 5 unique vulnerabilities aged greater than 30 days in a fleet of 100 hosts has 5% of their total fleet that is not patched within the FedRAMP ConMon performance guidelines. The CSP who has the same number of vulnerabilities (5) amongst a much larger fleet of 1 million hosts has .0005% of their fleet that is not patched within the performance guidelines. However, both will receive the same level of escalation. In a time where FedRAMP programmatic oversight resources are stretched thin, the FedRAMP CSP Marketplace is expected to grow at a rapid pace, and ConMon responsibilities will increase, we believe the FSCAC should formulate a recommendation to enhance the risk management deficiency triggers to not remain static regardless of the scale and complexity of a CSP. Rather the deficiency triggers should be more adaptive to vulnerability management at scale considerations. Is the FSCAC open to making a recommendation to address this challenge? If yes, how can the public facilitate the formulation of this recommendation? | |||
| 3 | 09/12/24 2:35 PM |
| Scott | Vector Solutions dba Envisage Technologies LLC | scott.beauregard@vectorsolutions.com | Watching the committee meeting on 9/12, here are a bunch of things that crossed my mind... The problem with 3PAO expertise and staffing I think at least partially boils down to the ability to hire auditors. We should acknowledge that auditors do not make the money that engineers make. So if you want a cloud engineering skills in your auditor, you have to pay enough to make a cloud engineer actually leave their job and become an auditor. I'd also say that you have to pay enough to get a technical person to devote themselves to documentation, which again is likely to take a bunch of money to make it attractive enough. FedRAMP has had an agency liason program, and so I would say that program needs to be further strengthened and expanded. Make merch, have more seminars, let the liasons host these meetings. Those folks are often paying attention to their career growth as a bureaucrat; try to find carrots to help them see how it benefits them and not just their agency. Finally for this brain dump, I think that working groups around control bundles need to happen. There needs to be a FIPS working group, a logging working group, a monitoring working group, an account control working group, etc. These working groups could also be tasked with coming up with TLDR / infographic type artifacts, which helps to give out 101-style brochures for agencies, small CSPs, etc. | |||
| 4 | 09/09/24 11:55 AM |
| Colin | Kahua, Inc. | cwhitlatch@kahua.com | We would like to highlight the risks we are seeing when FedRAMP solutions are not utilized, and are instead circumvented. There are unnecessary security vulnerabilities and inefficiencies occurring that are counter to the spirit and intent of FedRAMP. | |||
| 5 | 09/04/24 2:06 PM |
| Scott | Vector Solutions dba Envisage Technologies | scott.beauregard@vectorsolutions.com | One particular barrier that seems to be discussed less is the overhead that OSCAL can add for a small CSP. At scale, OSCAL is an obvious win for PMO, the 3PAO community, and perhaps some of the bigger CSPs. But at the other end of the spectrum, as a CSP that is already authorized, has one single CSO, and isn't a larger corporation, OSCAL is nothing but a headache. We've already done all the box-checking and adjustments that OSCAL might help check out. The implementation statements still need to be written, it does nothing to reduce that effort. And most importantly, most of us currently don't spend any extra amounts on our Office 365 to write SSPs and attachments using Word and Excel or similar tools. Whereas I've yet to see any decent GRC tool that can handle SSP generation and OSCAL that isn't a very expensive SaaS subscription. Most of them are in the tens of thousands per year, and those are the less expensive solutions. The current market trend appears to be to add auto-control-checking features and then charge even more for these tools. Until these authoring tools are available for a reasonable cost, small CSPs will have no positive reason to move to OSCAL. The security-required tools that have to be bought for a FedRAMP system make sense; a higher bar for security is a major point of the program. On the other hand, this is just a documentation-enabling tool, and so making that also a very expensive element is just a barrier to entry for no good reason. | |||
| 6 | 08/30/24 8:22 AM |
| Tim | Sertainty Federal | Tim.white@sertainty.com | The use of technologies that provide security controls outside of the network management layer should be included. Meeting the intent of a control along with identity and access management as well as policy should not be exclusively tied to the network layer. Physical transport and storage hardware is not the only mechanism available to provide IAM and policy enforcement. | |||
| 7 | 08/14/24 3:33 PM |
| ann marie | A&A4GOV, LLC | annmariekeim@lonerockpoint.com | When a package is submitted to intake@fedramp.gov, included in the response to the CSP should not only be 'there are x number of packages currently being reviewed' but also a timeframe. There was no indication of the status of those currently in process.; almost done? just starting? a 2-3 week best guestimate would be better than not having ANY timeframe to bring to upper management. | |||
| 8 | 08/08/24 1:13 PM |
| Srinath | srinath@nephrolife.health | Priority 1: Addressing Barriers to Entry for CSPs, 3PAOs, and Agencies A small cloud service provider (CSP) may be overwhelmed by the extensive paperwork and security measures needed. To reduce the entry barrier, we can specify and have minimum risk thresholds and create specific, public baselines. These may include: Streamlined Documentation: Creating simplified documents on various levels depending on the size and scope of what the CSP offers. Mentorship Programs: Establishing mentorship or partnership programs where larger FedRAMP-authorized CSPs can assist smaller ones in going through the process. This approach will not only support small businesses but also stimulate innovation through diversification into federal procurement markets. Priority 2: Expediting the FedRAMP Authorization Process Pre-Approved Baseline Controls: Implementing a set of pre-approved baseline controls for common services that CSPs can adopt to fast-track their authorization process. | ||||
| 9 | 08/07/24 4:17 PM |
| Jennifer | Singular XQ | jp@singularxq.com | In our first year as a public-facing non-profit, we have gained valuable insights into the federal contracting process and in working among the contractor community. We placed a skilled subcontractor with a bidding organization and we help to navigate contract for multiple members to other third-parties as we serve disabled vets and people with ADA status who want to work in public facing innovation. This opened our eyes to many things. Through this experience, we recognize the challenges that small nonprofits face in bidding for contracts, which are the same but different from SBAs. As an organization dedicated to data sovereignty, humanity-centeredness, and human rights in global technology supply chains we gained some insights we will share here. Our top 5 recommendations: 1) Pilot Programs: Implementing pilot programs that allow innovators to model solutions in low-stakes environments that can provide valuable feedback and exposure, encouraging creativity and experimentation. 2) Financial Support: Offering grants and low-interest loans for startups seeking to enter the bidding process can empower new organizations and diversify the pool of participants. 3) Advocacy Initiatives: Establishing advocacy programs for subcontractors working with approved vendors, particularly those of protected status, can help mitigate predatory hiring practices and promote fair treatment in the industry. 4) Volunteer Engagement: Creating more open avenues for volunteer service and input from qualified members of the public can enrich the federal contracting process and harness diverse perspectives, while also defining roles for nonprofits in contradistinction to for-profit entities. 5) Training and Support: Increasing federally sponsored training and support for subcontractors in areas such as ethics, security, and rights and responsibilities can strengthen the overall integrity of the contracting ecosystem in places where new SBAs may lack resources and talent to provide such training effectively. We believe there is a unique opportunity to enhance the culture surrounding federal contract bidding, particularly in terms of quality and security controls beyond 2024 in particular. The legislative, executive, and regulatory shifts that have occurred this year provide opportunities to reimagine the space. We see potential for improvement in balancing leniency and efficiency, which can ultimately benefit all stakeholders involved. Thank you for this opportunity for input. We remain strong supporters of those who choose to serve in public facing innovation efforts in a world that appears to reward profit-seeking over human flourishing. Many of us have had excellent experiences working in and around the federal space and wish to see the best of it grow to new heights in the coming years. | |||
| 10 | 08/01/24 12:59 PM |
| ann marie | A&A4GOV, LLC | annmariekeim@lonerockpoint.com | 1) barriers to entry: the document requirements for FR are overwhelming to small CSPs, especially the requirement to use FR templates for policies/plans. CSPs do not 'speak government-ese while they DO have the policies and plans, they are most often in language the CSP teams understand (and follow). Once reformatted into FR template formats, they are no longer useful to the teams and get ignored as anything other than 'check the box' compliance. What SHOULD be offered is a punchlist of items that should (not must) be included in the policies/plans e.g. steps to include in IR plan or steps for CP plans, not the dozen roles of teams currently required. Small CSP do not even have the staff to fill all the teams in the templates. Requiring a set format for templates does nothing to decrease risk or increase security. 1b) that POAM sheet has become extreme. No spreadsheet should have columns that span the alphabet plus more! Agencies can't follow it, it's a huge burden on CSPs and half the information included is contrary to OMB guidance. Trim that down to ACTIVE POAMS (ONLY those that will be fixed with the associated columns -the definition of POAM - actions and milestones- there IS no action or milestone associated with an A/R or O/R or FP - get them OFF the POAM page) and a separate page for AR/OR with a 3rd page for FPs. 2) agile authorization: many CSPs have multiple certifications (ISO, SOC etc.) and the reciprocal acceptance of the common controls across these multiple certs would help GREATLY in reducing cost, increase efficiencies and speed up the process. There is no reason why AC-2 should have to be assessed 3 different times for 3 different certifications, other than to provide additional income to the 3PAOs. Cost is a HUGE obstacle to entry into FR. A moderate annual assessment of approximately 200 controls (FR core + 1/3 of remaining) runs $250k PLUS $60-90k for red team exercise. reciprocal assessment results would go a long way towards reducing that cost. | |||
| 11 | 08/01/24 11:31 AM |
| K | I appreciate the top two priorities that the FSCAC is focusing on. While I am not authorized to speak on behalf of the organization I ensure FedRAMP compliance for, I have repeatedly run into cost as a concern in implementing existing and new FedRAMP requirements. More so, it is hard to budget for the costs when the requirements aren't clear. The new Red Team Exercises control is an example of this - it was difficult to get quotes as vendors didn't understand the requirement (even with the updated guidance) and the few quotes we did receive were of an amount to give serious pause. I think FedRAMP needs to get an understanding of how much the program costs companies in required 3rd party fees, and then also in-house costs (such as running FIPS modules which have downstream impacts in versioning, compatibility, etc, as well as the GRC overhead for FedRAMP baseline compliance and the ad hoc OMB/ED/BOD requirements). The second priority of time-to-approval is another important one. Not only does the lengthy time waiting on approval affect the primary offering seeking to join the marketplace, it also affects other offerings that would want to make use of that to be able to obtain (or maintain) their own offering. Examples here are the limited offerings for ticketing systems, scanning engines, security tools, etc. The limited offerings again factor into cost - you either have to go with one of the few FedRAMP authorized products or staff an on-prem solution out of the dwindling options there as more vendors switch to a SaaS only model. OSCAL doesn't have wide adoption and still requires an additional cost investment from agencies and CSPs which is a barrier for programs already wondering how they will continue to afford FedRAMP compliance. From the CSP side, a lot of time and resources are spent trying to divine the answer to how to build complaint flows and systems. Clear documented guidance would help speed things up prior to authorization and during the process. Thank you for considering this feedback. | |||||
| 12 | 07/30/24 2:01 PM |
| Chris | DOI/BLM | cdietrich@blm.gov | As the BLM migrates its GIS investment to the MS Azure cloud environment, it appears that some systems under the GSS are being made increasingly responsible for security requirements such as MFA for access to data. Some systems have very small management staff (e.g. one person) that are not expert in responding to ZTA requirements being implemented simultaneously with the migration. It would be helpful for bureaus to have resources to help understand ZTA security requirements and also additional for developing new solutions to remain compliant. | |||
| 13 | 07/23/24 8:49 AM |
| Ryan | Lunarline | Ryan.gutwein@motorolasolutions.com | As a senior FedRAMP auditor and experienced cybersecurity professional, I commend the FSCAC’s focus on these critical priorities. The need to lower barriers for Cloud Service Providers (CSPs), particularly small businesses, 3PAOs, and agencies of all sizes, is paramount. Equally important is the goal of streamlining the certification process to make it more efficient and cost-effective. Priority 1: Identifying Challenges and Proposing Solutions One significant challenge is the complexity and resource intensity of the FedRAMP authorization process, which can be particularly daunting for small businesses. To address this, I propose several solutions: • Enhanced Guidance and Support: Provide comprehensive, step-by-step guidance tailored to small businesses. This includes clearer documentation, training resources, and dedicated support channels. • Mentorship Programs: Establish mentorship programs where experienced CSPs and 3PAOs can support and guide new entrants through the authorization process. • Community Platforms: Create online forums or platforms where small businesses can share experiences, ask questions, and receive advice from peers and experts. Priority 2: Streamlining the Certification Process To streamline the certification process, we must embrace agile authorizations and explore measures to reduce both labor and financial costs. Here are my recommendations: • Agile Authorization Processes: Adopt agile methodologies to make the authorization process more iterative and responsive. This includes more frequent and smaller assessment cycles, allowing for continuous improvement and quicker turnaround times. • Cost Reduction Strategies: Implement measures to lower costs, such as standardizing and automating common assessment tasks. This could significantly reduce the burden on both CSPs and 3PAOs. • Leverage Automation: Encourage the use of automation tools from 3PAOs that can streamline the entire FedRAMP audit workflow. These tools can provide a single pane of glass for managing and automating compliance tasks, reducing manual labor and associated costs. | |||
| 14 | 05/08/24 4:36 PM |
| Fabomi | CrestPoint Solutions, Inc | fojuola@crestpt.com | There is a double edge sword in how agencies are pushing for the FedRamp certification, and it could have severe unintended consequences. For example, the VA is pushing very hard to get cloud offerings certified but not all cloud offerings and not all competing products are treated equally. This could lead to unnecessary litigations in the future. Further, the VA insists forbids the selected CSP from generating new licensing revenue even as the CSP is being asked to foot north of $500,000 to $1 million in certification costs. A CSP could decide to seek funding from foreign investors which could then create a new layer of risks for the entire federal government. Is the committee aware of any of these and what are you doing about it. If you are unaware of any of the issues, how do you plan to address them going forward. Respectfully submitted, Fabomi | |||
| 15 | 04/23/24 9:20 PM |
| Hazem | AWS | eldakdoky@gmail.com | What can be done to expedite the consideration of moving away from static risk triggers associated with vulnerability management that don't take into consideration the volume of endpoints in an environment? | |||
| 16 | 03/28/24 2:56 PM |
| Ann Marie | Lone Rock Point (working with WordPress VIP) | akeim1@yahoo.com | Comment regarding issues with specific controls: FedRAMP adding the Red Team Exercise to the moderate baseline has caused an undue burden on small CSPs. Costs from 3PAOs are ranging from $30-$90k for this exercise ON TOP of the required pen test. Add that to the $255k for an annual assessment and we're close to half a million for an ANNUAL assessment!! | |||
| 17 | 03/28/24 2:54 PM |
| Ann Marie | Lone Rock Point (working with WordPress VIP) | akeim1@yahoo.com | A comment about cost of authorization... An RFP for an annual assessment including new rev 5 controls, FedRAMP core and 1/3 of remaining controls (~200 controls) was put out. 4 responses came in, all within $10 of each other: $245-255k!!! That is a HUGE hit for a small CSP that was budgeting $150k based on the cost of the initial assessment. | |||
| 18 | 03/12/24 1:10 PM |
| Jim | Kratos | jim.neidich@kratosdefense.com | I've been asked to participate from the 3PAO community. | |||
| 19 | 09/29/23 11:45 AM |
| Gayle | Berkeley Group, LLC | gayle@theberkeleys.com | As a serial FedRAMP sherpa for Cloud Service Providers, I have observed in multiple organizations that aside from bearing the costs associated with implementing FedRAMP, Agency Partnership is one of the most challenging barriers to Authorization. Agencies find it overly burdensome to review thousands of pages of material and technical diagrams to issue ATO Letters, then they must manage ongoing ConMon activity, and they spend too much time post ATO dealing with evaluation of system changes that may not impact them in any way. Multiply Agency partnership by two, three, four, or five partnerships and the burden on CSPs to work with multiple individual Agencies is burdensome as well (although a nice problem to have.) To increase the government’s adoption of secure cloud services, the Authorization process should move towards a new model that reduces or removes friction where possible for both Agencies and CSPs. Some suggestions: - An Authorization “JAB-light” should be available to all CSPs so the government can remove the Agency Partnership requirement. This would resolve a significant barrier to bringing secure cloud solutions to market for government. - Removing the Agency Partnership requirement would also eliminate significant friction for government adoption of secure cloud solutions. Agencies would still perform their required A&A procedures and obtain assistance from CSPs as needed to perform this work, but without the added layers of FedRAMP-specific procedural requirements and time commitment. - For CSPs, implementing a FedRAMP Security Baseline and having the service offering’s posture fully validated at least annually by a qualified 3PAO should lead more directly to FedRAMP Review, and barring any major concerns, FedRAMP Authorization and Marketplace listing. - SaaS offerings (features and security posture) are supposed to change and evolve, and services need to be updated on a continual basis to improve both security and functionality. It shouldn’t require multiple layers of review, permission, and approval to make a change that delivers better functionality and value for adopters, provided security posture remains equivalent or better. - A SaaS solution meeting FedRAMP requirements should be accepted for government use in general vs. tailored to the risk profile or requirements of any single (partnering) agency, which is another reason the Agency Partnership model and significant change processes create added cost and barriers. Treat SaaS more like COTS and it will alleviate both costs and barriers. - The current backlog to review Authorization packages is a challenge for both CSPs wanting to offer and Agencies wanting to use secure cloud services. Anything that can be done to resolve that backlog and streamline the process to avoid backlogs will benefit all stakeholders. - Finally, I want to take a minute to say thank you to the entire FedRAMP PMO team; they are a highly helpful, responsive, and service-minded group, and it is always a pleasure to work with them. They are among the finest our government employs. Thank you for inviting public comment. Gayle Berkeley | |||
| 20 | 06/07/23 10:00 AM |
| Teri | TERIDA LLC | tprince@terida.com | I am writing in respect of the information provided / discussed at the May 25th Federal Secure Cloud Advisory Committee (FSCAC) Meeting in which there was a great deal of discussion of small business and their difficulties funding the costs of FedRAMP. TERIDA LLC is the smallest small business on the FedRAMP Marketplace – Our FedRAMP sponsor is the United States and we are facing huge costs for the upcoming 3PAO SAR Assessments, and huge costs for the tools and monitoring to maintain our FedRAMP stats. So far we have not found anyone or any program to cover these costs, Would you provide me with any information that you have available re SBA assistance for FedRAMP expenses? I had spoken with various financial institutions re SBA loans and they explained that this was not a purpose that they could support. (Cybersecurity is not a fundable item for them. I require an emergency loan – my understanding is that this is available to very small women-owned companies – please provide details. I was also told about DoD / DBA Capital Funding Office and SBIC special purpose funds for these matters – please provide details as well. Would it be possible to set up a meeting with the SBA rep on the FSAC, Federal Secure Cloud Advisory Committee? I believe his name is Nauman Ansari. | |||
| 21 | 05/31/23 3:51 PM |
| Sandeep | ADI Infocon LLC | shilawat@gmail.com | I was looking to join this committee as a founder and chair of WashingtonExec Cloud Council, Cloud COE member and also as member Cloud Acquisitions Forum. Also the smart sheet form mentioned you the committees website for public to join the meeting as open forum has expired. The next meeting is mentioned is meeting in past In past I have spoken to Sonny Hashmi about it when he was keynote speaker at one of our Cloud Council meetings. Let me know if there is a way to join this forum My brief bio attached herewith Thank you Sandeep Shilawat www.linkedin.com/in/shilawat | |||
| 22 | 05/18/23 12:00 PM |
| Tom | Deep Water Point and Associates | tom.ruff@dwpassociates.com | With the recent mandate for which FedRAMP has now become law there will no doubt be an increase in the number of companies seeking FedRAMP accreditation . The increase will need to be handled via the Agency Sponsors yet the backlog of companies in FedRAMP Ready state continues to grow . What incentives can be put in place for Agencies / Government employees to take on more sponsorships ? Addtional accreditations drives innovations which makes our government / country more secure and competitive . | |||
| 23 | 05/17/23 8:20 AM |
| John | IT Acquisition Advisory Council | john.weiler@IT-AAC.org | As one of the co-authors both of OMB's Cloud First and Cloud Smart policies, architect of FITARA, and the principal architect of DOD's Cloud Broker Framework, we at the IT-AAC see significant opportunities to accelerate IT Modernization and Digital Transformation across the Public Sector. We also have concerns with long standing barriers to innovation and change that continue to impede progress if not addressed; 1) Federal IT Workforce talent gaps that are leading to outsourcing of critical thinking and inherently governmental functions to large contractors with profit motives. 2) Limited access to emerging commercial best practices, lessons learned and innovations being driven out of Fortune500 and Silicon Valley. RFI and Market Reseach efforts are only reaching traditional suppliers. 3) Limited embrace of advanced portfolio management and application refactoring tools that are needed to make Cloud migration cost effective. Huge source of avoidable waste. 4) Unrestricted revolving door and influence peddling is undermining Fair and Open Competition as seen with JEDI Cloud and C2S. EO 14036 and FAR 9.5 need better enforcement. 5) Lack of enforcement of FAR Part 35 that should prohibit FFRDCs from unfairly competing with SMBs, and this too needs attention. | |||
| 24 | 05/11/23 9:57 PM |
| Gaurav | stackArmor, Inc | gpal@stackArmor.com | I am very happy about the formation of the Federal Secure Cloud Advisory Committee (FSCAC) and for the opportunity to participate in the process to help improve and enhance the FedRAMP program. I would like to offer that FSCAC, should consider ways to facilitate the availability of FedRAMP P-ATO sponsorships or to help make it easier to find Initiating Agencies for Commercial ISVs. The inability to find sponsors is a challenging problem for innovative commercial cloud service providers that discourages many participants from offering their solutions to the Federal cloud marketplace. Also, the FSCAC should consider ways that Small Businesses could have a fast-track pathway for FedRAMP P-ATOs to allow for new and nimble solution providers to participate in the rapidly growing Federal cloud marketplace. Perhaps a collaboration between SBA and GSA while using existing financial incentive programs or loans could be used to pay for the initial preparation and assessment. I appreciate the opportunity to participate in the FSCAC meeting and would be happy to be a resource to continue to assist based on my nearly decade plus of association with the FedRAMP program. Very respectfully, GP Gaurav Pal | |||