Tuesday, July 16, 2024 from 8:00 a.m. to 12:00 p.m. Eastern time
Virtual via Zoom (view recording)
Call to Order
Michelle White, FSCAC Designated Federal Officer
Michelle White called the meeting to order. She welcomed members of the public attending & thanked those who submitted public comments and reviewed the Federal Advisory Committee Act (FACA) processes that FSCAC is subject to. Michelle reviewed the purpose, outcomes & agenda for the meeting.
Roll call
- Larry Hale – Present
- Bo Berlas – Present
- Branko Bokan – Present
- Daniel Pane – Present
- Bill Hunt – Present
- Carlton Harris – Present
- Kayla Underkoffler – Present
- Josh Krueger – Present
- Joshua Cohen – Present
- Matt Scholl – Not Present
- Nauman Ansari – Present
- Jackie Snouffer – Present
- La Monte Yarborough – Present
- Marci Womack – Present
- Mike Vacirca – Present
Public comment
Members of the Public
There was one public comment from Teri Prince, CEO of Terida. She discussed the difficulties that small business CSPs and their stakeholders face in the review process and reiterated her CSP’s commitment to FedRAMP.
Larry Hale provided a recap of the previous FSCAC meeting and noted that the GSA Administrator added two priorities from those that were agreed upon in the previous meeting. He noted that FSCAC will develop recommendations on all four priorities and will submit as part of this year’s report to the GSA Administrator. The two new priorities that have been added to FSCAC’s list of priorities for this year are:
- Identify best practices and recommendations on how FedRAMP can make progress with commercial reciprocity using different security frameworks (e.g., PCI DSS and SOC 2 Type 2).
- Identify what is needed to support OSCAL adoption and if there are any barriers to OSCAL interoperability within the CSP and agency GRC ecosystem that need to be addressed.
FedRAMP updates
Ryan Palmer, Zaree Singer, Ryan Hoesing, and Dave Waltermire
Members of the FedRAMP team gave updates on several key areas: the Emerging Technology Prioritization Framework, the Agile Delivery Pilot, the new automation website, hiring status, and the Technical Advisory Group. The team also presented areas in which FSCAC members can assist the FedRAMP team.
Committee Q&A
FSCAC Membership & Ryan Palmer, Zaree Singer, Ryan Hoesing, and Dave Waltermire
FedRAMP team members took questions from the FSCAC membership. Common themes were emerging technology framework, the Technical Advisory Group, potential security controls, and the agile delivery pilot.
Draft FedRAMP memo updates
Office of Management and Budget (OMB) Representative – Drew Myklegard and Laura Gerhardt
Drew Myklegard and Laura Gerhardt gave an update on the status of the final OMB memo. They are working diligently to get the final memo published. They then took questions about the status of the memo from FSCAC.
Committee Q&A
Questions were asked by the Committee around whether or not milestones for program authorizations have been hit, the role the FedRAMP Board has after OMB sets the policy, and the timeline for release of the draft FedRAMP memo.
Deliberations: develop approach and plan for finalizing recommendations
FSCAC membership
FSCAC deliberated on the final wording of their four priorities, including combining the sub priorities previously listed under priorities 1 and 2. Their final priorities list for this year include:
- Identify and publicly document top challenges and propose solutions around the barrier to entry for CSPs (with a focus on small businesses), 3PAOs, small & large agencies, e.g. ensure minimum risk threshold / minimum acceptability standardized baselines for sponsoring agencies and 3PAOs.
- Identify and publicly document ways to expedite the authorization process for CSOs – explore agile authorizations and other potential cost reductions, both labor and financial, with a focus on small businesses, e.g. ensure minimum risk threshold / minimum acceptability standardized baselines for sponsoring agencies and 3PAOs.
- Identify and publicly document best practices and recommendations on how FedRAMP can make progress with commercial reciprocity using different security frameworks (e.g., PCI DSS and SOC 2 Type 2).
- Identify and publicly document what is needed to support OSCAL adoption and if there are any barriers to OSCAL interoperability within the CSP and agency GRC ecosystem that need to be addressed.
They then voted on whether or not to work on finalizing their recommendations as a group or as subcommittees. Based on the vote, they decided to work on the final recommendation as a group. They also discussed how to best send and receive information during their upcoming meetings and determined that the public comment process was beneficial, but that discussing meetings on social media before they happen could also improve public comment engagement.
Since they will not be breaking into subcommittees, the group deliberated on whether they would prefer to present independent drafts in open meetings or draft as a group in open meetings. They discussed and determined that performing independent research, volunteering for certain sections of the deliverable for individuals to write, and then presenting their individual drafts in an open meeting for discussion and deliberation would be the most efficient approach.
Larry Hale stated he would take the action to recommend to the GSA Administrator to ask FedRAMP to provide more clarity on outstanding items that are needed in the community immediately.
Finally, the group voted to begin working on priorities 1 and 2 first, and the motion was approved.
Vote: Motion by Larry Hale to work together as a full committee in finalizing their recommendations. Seconded by Bill Hunt.
- Larry Hale – In favor
- Bo Berlas – In favor
- Branko Bokan – In favor
- Daniel Pane – In favor
- Bill Hunt – In favor
- Carlton Harris – In favor
- Kayla Underkoffler – In favor
- Josh Krueger – In favor
- Joshua Cohen – In favor
- Matt Scholl – Absent
- Nauman Ansari – In favor
- Jackie Snouffer – In favor
- La Monte Yarborough – In favor
- Marci Womack – In favor
- Mike Vacirca – In favor
Vote: Motion by Jackie Snouffer to begin working on priorities 1 and 2 work first. Seconded by Daniel Pane.
- Larry Hale – In favor
- Bo Berlas – In favor
- Branko Bokan – In favor
- Daniel Pane – In favor
- Bill Hunt – In favor
- Carlton Harris – In favor
- Kayla Underkoffler – In favor
- Josh Krueger – In favor
- Joshua Cohen – In favor
- Matt Scholl – Absent
- Nauman Ansari – In favor
- Jackie Snouffer – In favor
- La Monte Yarborough – In favor
- Marci Womack – In favor
- Mike Vacirca – In favor
Closing Remarks & Adjournment
Larry Hale, FSCAC Chair, and Michelle White, FSCAC DFO
Larry Hale thanked the Committee for their thoughts and engagement today. Michelle White adjourned the meeting at 11:51 a.m. EST.
Committee members in attendance
- Larry Hale (Chair)
- Bill Hunt
- Bo Berlas
- Branko Bokan
- Daniel Pane
- Jackie Snouffer
- Carlton Harris
- Kayla Underkoffler
- Josh Krueger
- Joshua Cohen
- La Monte Yarborough
- Marci Womack
- Michael Vacirca
- Nauman Ansari
Committee members absent
Matt Scholl
Guest speakers and presenters
- Ryan Hoesing, FedRAMP
- Ryan Palmer, FedRAMP
- Zaree Singer, FedRAMP
- Dave Waltermire, FedRAMP
- Drew Myklegard, OMB
FSCAC staff present
- Michelle White, Designated Federal Officer
- D’Arcy Steiner, FSCAC Support Team
- Taylor Juneau, FSCAC Support Team
- Theresa West, FSCAC Support Team
- Maggie McKenna, FSCAC Support Team
- Megan Gallo, FSCAC Support Team
- Jake Ahearn, FSCAC Support Team
- MacKenzie Robertson, GSA
GSA staff present
- John Hamilton, FedRAMP
- Eric Mill, GSA
Members of the public present
- Tom Alal
- Drew Scherer, Carahsoft
- Tyler Hardy, Elevate Government Affairs
- Jen Carlson, FedRAMP/Noblis
- Bill Fanelli, FedRAMP/Noblis
- Ty McKeiver, International Trade Administration Darren Milligan, International Trade Administration Christopher Ales, Captioner
- Jacob Livesay, Inside Washington Publishers News Tanner Spires, A2LA
- Randall Querry, A2LA
- Cynthia Bergevin, FedRAMP/Noblis
- Ben Fowler, FedRAMP/Noblis
- Natasha Harrington, FedRAMP/Noblis
- Alla Seiffert, Amazon
- Aaron HAmlin, Armavel
- Taimur Masood, Microsoft
- Christian Baer, Schellman
- John Scano, Lookout
- Mark Judd, Broadcom
- Sanjiev Chatopadhya, Broadcom
- Hariom Singh, Broadcom
- Jeremy Soehnlin, Broadcom
- Paul Caron, Microsoft
- Daniel Roberti, Google
- Roger Gaffey, IBM
- Laura Navaratnam, CSP-AB
- Lee Neeper, A-Lign
- David Clevenger, Fortreum
- Jorden Foster, Coalfire
- Matt Hungate, Schellman
- Laurie Southerton, FedRAMP/Noblis
- Shiva Alipour, FedRAMP/The Clearing
- Mirium Abreu, CGI Risk
- Teri Marlene Prince, Terida
- Madison Cevallos, Gordian
- Dawn Grundmeyer, Ericsson
- Jessica Salmoiraghi, BSA
- Pete Waterman, PWX
- Dr. Maxine Henry, Cyvient
- Adam Simpkins, Guidehouse
- Ashley Kamauf, A2LA
- Robert Cooper, Palo Alto Networks
- Chelsey Hickman, WSW DC
- Christine Briggs, Coalfire
- Bruce Neuner, Chelco
- Jason Butterfield, TTB
- Karen Thorne
- Josh Blaher, Red Hat
- Greg Caldwell, FRB
- Wesley Callahan, DRT Strategies
- Theodosia Villatoro-Sorto, FMSHRC
- Tim Rund, Alvesta
- Daisey Joan Diaz
- Adam Clater, Red Hat