❄️

5/15 FAB Community Call

Notable Conversation Points

  • Julie shared interesting updates from GSA. These updates have not been made public, so the specifics will not be shared via these notes. The main things to understand:
    • GSA is actively planning to improve the ease at which CSPs can go through FedRAMP even without a sponsor (like FedRAMP Ready, but way better).
    • Easier collaboration across agencies for joint authorizations is on the roadmap.
  • We will attempt to contact FSCAC members to open a communication channel.
  • Deeper discussions on challenges with the PMO and 3PAOs
  • Julie will be seeking outside counsel to assist with forming a charity non-profit as the holding entity for this effort. The goal is to be able to facilitate corporate contributions to the group. Sophos is likely to be willing to absorb the cost of these expenditures.
 

PMO Challenges

  • Often the communication loop feels like a game of telephone
    • The CSP has a nuanced question, the 3PAO inquires with the PMO, and the PMO relays feedback back to the 3PAO and then back to the CSP. This has been a source of faulty guidance.
    • Sometimes when a 3PAO submits work for other clients, the PMO will provide feedback, which can sometimes be relayed back to CSPs that were not part of the original inquiry.
    • For one of our members, there have been at least four instances of having to redo substantial work since January 2023
  • There needs to be more internal consistency and communication within the PMO.
    • One CSP was given the green light on some unencrypted communications “behind the wall” by a 3PAO by way of the PMO. This guidance was changed within one calendar week to being no longer acceptable. During a subsequent call, the PMO members seemed confused about who provided guidance and then opted to deny that approach without explanation.
    • In another PMO interaction, a CSP received guidance that encryption in transit wasn’t needed across all internal-only apps. This guidance was changed suddenly, and a contrived explanation was given that there was a concern about insider threats within the public cloud provider (without further detail).
  • There have been multiple anecdotal accounts of odd behavior
    • In one “final” PMO meeting, the PMO seemed to be aggressively critical of the CSPs package only to suddenly change sentiment in the final five minutes of the meeting, where congratulations were given to the CSP
    • In another encounter, a CSP aiming for a moderate authorization was suggested that they might consider a low authorization so they could pass immediately.

3PAO Challenges

  • QA teams generally seem to operate on more recently updated guidance versus auditors.
  • Auditors often lack a base level of technical knowledge.
    • In one instance, a CSP voluntarily trained an auditor on Python for about six months to properly understand how the CSP was approaching a particular set of controls.
    • In another, a physical nitro board had to be physically demonstrated to auditors to achieve understanding.
  • Auditors seem familiar with AWS, somewhat with Azure, and very little with GCP, leading to frustration in explaining architectures and approaches to various controls.

Wishes

Wish List Item 1: An open database of specific guidance given by the PMO

  • Given the volume of advice, regardless of consistency, all members agreed it would be beneficial if the PMO provided an official FedRAMP database of guidance. This guidance could be anonymized and void of any CSP-specific details, and it would prove tremendously helpful in addressing many concerns.

Wish List Item 2: An appeals process for PMO guidance.

  • Often guidance is given which runs counter to the mission of FedRAMP and provides no material value to the cybersecurity posture of a CSP.
  • A process by which a CSP can formally appeal PMO guidance would be constructive.
  • The process should allow the CSP to demonstrate their reasoning. Ideally, the final decision would provide a comprehensive explanation of why the appeal was denied or a statement of agreement with the CSPs’ reasoning.

Next Steps

  • Julie will publish first article
  • Julie will seek a guest speaker, ideally Brian Conrad
  • Julie to engage outside counsel on charity entity
  • Nathan to Coordinate with Rob on ACT-IAC conversation