Comments are closed. Will the FedRAMP program actually get updated?
An update to the long-running cloud-computing security program known as FedRAMP, has entered a new phase. Comments closed Friday, and now the authorities at the General Services Administration and Office of Management and Budget are percolating. For what the industry is hoping for, the Federal Drive with Tom Temin spoke with Stephanie Kostro, the Executive Vice President for Policy at the Professional Services Council.
Interview Transcript:
Tom Temin And Stephanie, before we get to FedRAMP, I just want to get what is the contractor community thinking about the seemingly headlong rush toward either another CR or coming from the mouths of members of Congress themselves, a shutdown.
Stephanie Kostro Well, thanks again for having me, Tom, and it’s a pleasure to be here for the last show that I’ll be on for for 2023. You raise a very, very interesting point about the chatter that we’re hearing both on the Hill and in the executive branch. And of course, we are always chattering here in the private sector wondering what the government’s going to be doing. I will note that back in December, early December, Speaker [Mike] Johnson (R-LA.) sent out what we call a Dear Colleague letter to every member of Congress saying that he is not supportive of what he calls, quote, any further short term extensions, end quote. And that leaves open the possibility of a full year appropriations or a long term CR, it doesn’t close the door on a full year continuing resolution. And if you were a betting person, the smart money would be on having exactly that, a long term continuing resolution. Couple of other points I’d like to remind folks, particularly in the contracting world, is that there are two separate deadlines for the current CR’s. One is for Veterans Affairs, Agriculture, Energy, Water and what we call T-HUD, which is Transportation, Housing and Urban Development. That deadline is Jan. 19. A few weeks later, the rest of the government, the CR for them expires. And so we’ve got this interesting dynamic that we could be under a partial shutdown come Jan. 19 if we don’t have another CR in any form, short or long term. This dynamic is something that we’re watching very, very closely, and we are scrubbing to make sure we know what programs are included in that earlier deadline.
Tom Temin I think in some sense, people would almost prefer a short shutdown followed by appropriations, than a full year continuing resolution.
Stephanie Kostro I think it’s fair to say that some people would welcome that. The other piece that overlays all of this is the Fiscal Responsibility Act that passed last June, rather. That has a couple of interesting pieces to it that we are still working through. One is if we don’t have full year appropriations by Dec. 31, which we won’t, there is an automatic cuts to spending. And then if we don’t have a 12 bills passed for their full year appropriations by April 30, there’s going to be at least Congress is calling appropriations process sequestration, where all nonexempt programs are subject to a cut. These are not small cuts. We are looking at something in the order of 130 to $ 150 billion here in FY24 that are really going to be tough. And I’ll give you an example, Tom. One of the exempt programs that the president has indicated will continue to be exempt is military personnel. So DoD is subject to a cut like the rest of the government, sequestration you don’t get a choice where programs are cut, everyone gets cut. A lot of the cut will be borne by contracts. It’s not going to be in the military personnel accounts. So anything that would have been cut from those accounts gets shifted over probably to contractors. So we are watching very, very closely to see what happens with the sequestration piece here in calendar 24.
Tom Temin And getting back to the question of a full year CR, unlike a temporary shutdown, which would be a rolling affair, this would be for the year, the cuts would simply apply across the board, except for those exempt programs you mentioned.
Stephanie Kostro Exactly right.
Tom Temin Contractors, then, must be battening down the hatches in many ways.
Stephanie Kostro We are recommending that PSC member companies look very carefully at what their programs can sustain. One other element that I want to throw on to this mix, Tom, is we’ve been hearing again chatter about how the Hill is negotiating border security, immigration policy, etc. And I understand that folks on the Hill are going to the White House and saying you can take executive action in this area. You don’t need to wait for legislation. But what’s all tied up in that is the supplemental piece of the appropriations pie. And that is to say the White House back in October asked for $ 61 billion for Ukraine, 13 billion for border security, etc.. All of that will be nonexempt. So anything cut, even if they happen to pass appropriations for these areas like Ukraine, like border security, those are subject to cuts as well. And so that’s something that we’ve got to keep in mind.
Tom Temin We’re speaking with Stephanie Kostro, executive vice president for policy at the Professional Services Council. And let’s get to FedRAMP now. Again, the comments are in, people have made what they want to say about these OMB, I guess, is the main authority here on how this program will be updated. What are you hoping for?
Stephanie Kostro OMB circulated a draft memo that contained guidance for FEDRAMP, which is the Federal Risk Authorization Management Program, mostly managed by GSA. They received more than 200 sets of comments, PSC is among those. What we are looking for mostly is more collaborative engagement with industry. Let’s be honest, Tom, cyberspace is fast evolving and that cannot be said necessarily of government bureaucracy. So when we look at authorization pathways, when we look at continuous monitoring of cloud services, we really have to have very close collaboration so that the government can understand what industry is seeing in the threat domain, but also in what cloud services capabilities and how quickly they are evolving. And so PSC and our member companies are really looking for closer coordination and collaboration, real cooperation between the government and the industry that supports it.
Tom Temin In many ways, it seems like FedRAMP has evolved away from, at least to some degree, its original idea, which was that if something is certified for use by this agency because of the FedRAMP process, then everyone else can rest assured that they too can use that cloud service. But that’s not how it’s actually worked out. It’s almost like security clearance where you have it for the CIA, but it’s not good enough for the NSA.
Stephanie Kostro Well, reciprocity time is something that is addressed a lot in this OMB draft memo. And I would mention that OMB was under no requirement to circulate this publicly for comment. So we welcomed the opportunity to give them some real feedback on this draft memo before it goes final. Reciprocity, when you talk about what FedRAMP authorizes and then there are individual agency authorizers. And so the question then becomes, if one entity authorizes it, is that authorizations still good for other entities? And so this new memo talks about that. It talks about the FedRAMP board, it talks about GSA’s role. And we’re really looking forward to seeing how this gets implemented. And again, highlighting how important it is to have these iterative conversations with contractors so that they’re not stuck in some sort of inflexible regime that we can actually evolve as the threat evolves.
Tom Temin And finally, Stephanie, just before Christmas, I guess, and dated yesterday, the proposed rule on the Cybersecurity Maturity Model Certification program, long awaited by the industry was issued from the Defense Department. What’s the early take on it from the contractor standpoint?
Stephanie Kostro Glad you mentioned the timing of all this, Tom, because it really is an early Christmas present or the day after Christmas presents, depending on whether you tie yourself to publication. But in discussions with industry about this, the overall sentiment is that it’s about time. And I mean that in a couple of ways. The CMMC interim rule came out in late 2020, just over three years ago, and the administration at that time was in no hurry to incorporate language into contracts. And then the Biden administration came in and began a review of CMMC program writ large. And so we’ve been in a holding pattern for just about three years now as industry. And it’s a common refrain among those of us at PSC that America’s contractors need a consistent approach to cybersecurity, and we also need time to implement the proposed rules. So digesting several hundreds of pages over the holidays is a good start. But again, the beginning of this conversation with a proposed rule. And we’ve got a couple of points that we’ve been iterating with our contractor community.
Tom Temin What are those points?
Stephanie Kostro Well, I’m glad you asked. Again, on that theme of it’s about time we took a pause in terms of CMMC, but the threat did not take a pause. And what we are seeing in trends in cybersecurity now is fundamentally different from what we were seeing three years ago when the interim rule was published. And of course it’s going to be different three years in the future from now. And so we’re really looking at how CMMC itself can evolve as a program and the requirements have the flexibility so that contractors can meet the threat, whatever it is we’re at or wherever it is and whenever it occurs. The second point that we’re highlighting with folks is the CMMC proposed rule seems to be significantly focused on technical data for weapons systems and as representatives of the services industry, we are over here jumping up and down saying don’t forget about where the threat is growing in our arena, and that is to say cybersecurity and cyber vulnerabilities are growing potentially in the services area. And so we’re looking to see how CMMC can adapt to not just weapons systems but to services. Another point is flow down. In our world we have lots and lots of subcontractors and so a subcontractor that is working at a fifth sub tier level or the ten sub tier level may not actually know they’re on a Department of Defense contract. They’re certainly not going to certify that they are CMMC compliant. And so how do we address the flow down of these requirements? And finally, this is a point, Tom, that I know is familiar to you because we’ve made it before on your show, and that is to say we have defense contractors in our community and we have contractors who work primarily with civilian agencies. But many contractors operate with both defense and civilian agencies. And so what CMMC is, is a DoD requirement coming down the pike that defense contractors have to comply with. They’re going to incur costs that their civilian contractors are not necessarily going to incur because VA, for example, won’t have the same requirements. HHS, DHS, they won’t have the same requirements. So what happens to those contractors who work in both of those spaces incurring costs to comply with DoD and running up their costs when they’re trying to bid for civilian agency contracts?
Tom Temin All right. So lots to dissect here. And above all, read them and make your comments and get them in.
Stephanie Kostro In your 60 day comment, period. I’ve heard word that people will be asking for more time. I think that might be reasonable in this because it is hundreds of pages to digest. But yeah, send in lots of comments because this is an area of a lot of long awaited changes. So we’re reading it with bated breath.