$671 million
Connolly pushes for new bill to reform FedRAMP
is the FTC fine levied against Equifax for the 2017 breach that exposed more than 147 million Americans’ data
Even though the federal government’s program to evaluate and authorize cloud service providers’ offerings has made significant strides, some lawmakers believe legislation is needed to addresses the program’s ongoing weaknesses.
Some companies that have undergone the often-lengthy approval process under the Federal Risk and Authorization Management Program told lawmakers in July that the process is difficult to understand and many agencies are still not uniformly accepting the approvals. Those complaints have dogged FedRAMP since its inception.
During a hearing held by the House Oversight and Reform Committee’s Government Operations Subcommittee, Virtru CTO Will Ackerly said his company probably wouldn’t have made it through the FedRAMP approval process without the help of advocates at federal agencies. It took 20 months and cost $1.6 million for the company’s product to achieve authorization, he added, and Virtru must also spend $150,000 to $200,000 a year to maintain the certification.
Subcommittee Chairman Gerry Connolly (D-Va.) said FedRAMP was created to address those issues. But “what was supposed to be a six-month process costing $250,000 instead could take years and cost a company millions of dollars,” he added.
He and the vendors testifying at the hearing commended FedRAMP for making significant progress. Nevertheless, Connolly said new legislation is needed to define roles and ensure that FedRAMP’s Joint Authorization Board and agencies accept one another’s authorities to operate.
The board’s ATOs should “be accepted at all \\\[agency\\\] windows,”
Connolly said, while agency ATOs could be more readily reused without starting from scratch.
modernization initiatives.
Despite those successes, Connolly
and Rep. Mark Meadows (R-N.C.) are drafting a bill, with industry input, that will instill more discipline into the process. The two lawmakers had introduced a FedRAMP reform bill last year, but it never made it out of
the House.
According to Connolly,
the new legislation will codify and define the roles and responsibilities of federal agencies and
Anil Cheriyan, direc- tor of the General Ser- vices Administration’s Technology Transfor- mation Services, told the committee that in fiscal 2018, FedRAMP issued about 40 autho- rizations, including pro- visional ATOs. By con- trast, it took three years for the program to issue its first 40 ATOs.
Rep. Gerry Connolly
Currently, 143 cloud
products from 115 companies have been authorized, with 69 more ATOs in progress.
Department of Health and Human Services CIO Jose Arrieta said FedRAMP has been essential to his agency’s efforts to make all of its data more transparent and usable and has been a linchpin in the agency’s IT
third-party assessment organizations; address how to further reduce the long approval times for applicants, particularly small businesses; tackle the uneven application of vendors’ ATOs across federal agencies; and establish metrics for time, costs and assessment quality.
DOD scouts military bases for 5G testing
CIO Dana Deasy said the Defense Department is putting together a list of military bases where officials can test 5G technology and potentially keep those capabilities in place after testing.
“One of the things we want to do is not just go in there and do experimentation and pull it out but to actually leave a capability behind that the bases can continue to use from the 5G standpoint,” he said.
However, as with most emerging technology, 5G raises concerns about supply chain security, especially since one of the biggest suppliers of the technology — Huawei — reportedly has ties to the Chinese government.
Although the U.S. isn’t necessarily at a disadvantage with 5G, it needs to consider building more technology domestically, Deasy said.
“As a nation we do need to step up and look very strongly at how we create more domestic capability” at the chip, application, integration and infrastructure levels, he added.
“All forms of telecommunication are going to be a part of the global market,” Deasy said. “There are international players that we’re concerned about, \\\[but\\\] I don’t think it’s an end-all game. I don’t think we’re too late to the party here.... There will be a constant leapfrogging.”
— Lauren C. Williams
— Mark Rockwell
August 2019 FCW.COM 9