Legislation moving through Congress would create a council to provide industry input on the government’s cloud security certification program. The group wouldn’t be required to follow transparency rules typically applied under the Federal Advisory Committee Act.
“Certainly, I’m disappointed to see [these exemptions] creeping into legislation,” Sean Moulton, senior policy analyst with the Project on Government Oversight, told Nextgov. “It’s incumbent upon Congress to push the agencies to be as public and accountable as possible, even in a cybersecurity context because from the agency’s perspective it’s easier to [get input] in a simpler, streamlined way with less oversight. And so, we really need Congress, acting as a check and balance on the agencies, to say, ‘No, it’s more work, it’s harder, we get it, but we’re going to require you to do it this way as much as you can.’”
The Federal Risk and Authorization Management Program, or FedRAMP, has been around for a decade, supported by each administration since President Obama. It aims to increase federal agencies’ use of cloud services while avoiding security pitfalls by pre-approving their vendors. But the Government Accountability Office has noted lackluster uptake by agencies associated with unclear guidance from the General Services Administration and insufficient oversight by the Office of Management and Budget.
On Dec. 15, the Senate Homeland Security and Governmental Affairs Committee passed the bipartisan Federal Secure Cloud Improvement and Jobs Act of 2021 which would give FedRAMP the force of law and officially make space for industry input into how the program is operated through a Federal Secure Cloud Advisory Committee.
The committee would not be subject to the FACA which requires advanced notification and records of publicly held meetings with balanced membership.
The legislation gives a lot of power to the administrator of GSA. The administrator would have the final say on whether a vendor is allowed to use a certain third party assessment organization to verify their security claims, for example. That’s a major area of concern for lawmakers worried about the influence of China where some industry-approved security certifiers have ties. The content of the advisory committee’s meetings might provide insight into how those and other critical decisions about the program are made, if not for the exemption.
It is possible to use the Freedom of Information Act to access committee proceedings, but Moulton said he wouldn’t count on it.
“You can FOIA, but my guess is it would still be a long cumbersome process because if the agency is claiming some sort of national security reasons why they can’t discuss it publicly, they’re going to use a similar claim in trying to withhold most of the information in the FOIA,” he said. There’s also the possibility of taking a case to court, “but most people can’t really pursue it to that extent.”
The FACA rules create a burden for agencies, Moulton said. “I can tell you from having talked to agency personnel, they definitely resist the complications that a FACA committee brings. In general, there’s been a long-time trend … there have been a lot of ways to avoid transparency and accountability, and I think these are just kind of the latest.”
Industry also stands to benefit from the cloak provided by FACA exemptions Moulton said, noting that even FACA committees—such as one recently created to advise Cybersecurity and Infrastructure Security Agency Director Jen Easterly—tend to overly rely on the private sector, rather than academics and public-sector experts.
The composition of the advisory committee described in the FedRAMP legislation would include a nearly even number of private sector members and government officials. But “companies really could benefit a great deal by having this kind of private pipeline to an agency,” Moulton said.
FACA exemptions are common in key cybersecurity policy forums. The Enduring Security Framework which facilitates input from members of the defense industrial base, the Information and Communications Technology Supply Chain Risk Management task force, and the Cyber Incident Data and Analysis Working Group, which spent years weighing input from the insurance industry, were all established under the Critical Infrastructure Partnership Advisory Council. CIPACs are exempt from FACA requirements under the authority of the Homeland Security Act of 2002 due to the discussion of “sensitive” information.
But Moulton says that’s not really a good excuse for not allowing at least some public access to the meetings. He said the groups could establish subcommittees that report up to the larger committee being mindful of national security, for example.
“The idea that security is unmanageable inside a FACA process is just simply false,” he said.
Offices of the Senate Homeland Security Committee chair and ranking member did not respond to a request for comment.
source: NextGov
