Communications Litigation Today was a Warren News publication.
Compliance Deadline Near

Issa Vows Oversight of Federal Cloud Cybersecurity Procurement Rules Rollout

The House Oversight Committee will view any federal agency that doesn’t begin requiring all cloud service providers (CSPs) to abide by the Federal Risk and Authorization Management Program (FedRAMP) as an “ineligible player in the bidding process,” once a sufficient pool of vendors is FedRAMP compliant, said committee Chairman Darrell Issa, R-Calif., Tuesday.

CSPs are required to be at least in the process of becoming compliant with FedRAMP -- but not necessarily agency-approved -- by June 5 in order to be eligible to participate in the federal IT procurement process. Issa vowed at a Cloud Computing Caucus Advisory Group (CCCAG) event to reintroduce the Federal Information Technology Acquisition Reform Act (HR-1232), which would revamp the federal government’s IT procurement rules, as part of the National Defense Authorization Act’s Fiscal Year 2015 reauthorization (HR-4435). HR-1232 passed the House in February. Issa and House Oversight ranking member Gerry Connolly, D-Va., had attached the language in HR-1232 to the FY 2014 NDAA, but House Armed Services removed it from the draft of that reauthorization.

Congress will hold hearings on the FedRAMP rollout even if HR-1232 stalls, though providing that accountability remains essential, Issa said. “It is our responsibility to ensure that no administration can essentially pick and choose whether or not go with” FedRAMP-certified vendors, he said. Connolly said he would also continue to push for further progress on HR-1232, saying the federal government “can and must do better” with screening vendors during the IT procurement process. “I wish I could say the rollout of the Healthcare.gov website last fall was a unique thing -- it was not,” he said. “It actually characterizes a lot of large IT procurements by the federal government."

If federal agencies aren’t viewed as mandating FedRAMP compliance, CSPs “are going to stop lining up” to go through the certification process, said CCCAG board member Steve O'Keefe. “These companies have spent millions of dollars to obtain their certifications” and spend more to maintain certification, so “if there is no return on investment, then there will be no investment,” he said. “The FedRAMP process is anything but secure. If [the Office of Management and Budget] turns a blind eye, if the federal agencies don’t specify FedRAMP in their RFPs, if CSPs don’t see a significant revenue stream … the whole thing is in danger of crumbling under its own weight."

Navy Chief Information Officer Terry Halvorsen said he’s unsure if FedRAMP is the best answer long-term, “but it’s a good start.” Halvorsen, who’s to become the Department of Defense’s acting CIO Wednesday, said he believes there should be a move toward a broader standard that applies beyond the government. “We've got to raise the national bar,” he said. The “life or death” of FedRAMP will be decided by whether there’s a good business case for CSPs and third-party assessment organizations that evaluate government cloud initiatives for FedRAMP compliance to continue being involved in the long term, said Matthew Scholl, the National Institute of Standards and Technology deputy division chief-Computer Security Division.