Cyber

Cybersecurity expert warns over foreign influence in Senate FedRAMP hearing

Chain Security CEO Jeff Stern says his company identified at least one case in which a FedRAMP assessor was operated by a foreign entity.

By John Hewitt Jones

November 30, 2021

WASHINGTON, DC - AUGUST 02: The U.S. Capitol Dome is illuminated by the sunset on August 02, 2021 in Washington, DC. The Senate has moved on to the amendments process this week for the legislative text of the $1 trillion infrastructure bill, which aims to fund improvements to roads, bridges, dams, climate resiliency and broadband internet. (Photo by Anna Moneymaker/Getty Images)

A witness testifying at a Senate committee hearing over proposed FedRAMP reforms raised concerns Tuesday over foreign influence and called for stricter transparency requirements for third-party assessor organizations.

Jeff Stern, CEO of cybersecurity firm Chain Security, called for an expansion of the definition of system security boundaries and said his company had identified at least one case where a third-party assessment organization (3PAO) was owned by a foreign entity.

“We observed a case where one of the 3PAO organizations had already been through a Committee on Foreign Investment (CFIUS) process, where the organization was required to establish a mitigated subsidiary, but it was not using the subsidiary to conduct FedRAMP assessments,” said Stern.

Technology companies seeking to obtain FedRAMP approval to sell cloud services to federal agencies are required to engage a third-party assessor to inspect their product.

Stern’s testified during a roundtable hearing hosted by the Senate Committee on Homeland Security and Governmental Affairs ahead of legislative proposals that lawmakers are seeking to attach to the National Defense Authorization Act. His comments on foreign influence came after questions on the matter from Sen. Rob Portman, R-Ohio, who said he is seeking to ensure language in the new proposed legislation restricts foreign influence.

Stern added: “At the very least, a user at the Department of Defense and the Department of Homeland Security should be able to know how much code in a product was written overseas.”

Testifying alongside Stern at the hearing, Ashley Mahan, acting assistant commissioner at the General Services Administration’s Technology Transformation Services and former head of the FedRAMP program at GSA, noted that under FedRAMP, any system that handles sensitive and unclassified data must be based within the U.S.

“There are geolocation restrictions to the U.S and territories within U.S. jurisdiction,” said Mahan.

This article was updated to clarify that under FedRAMP any system that handles sensitive and unclassified data must be based within the U.S.

Cybersecurity expert warns over foreign influence in Senate FedRAMP hearing

More Like This

Federal cyber officials search for funding solutions to keep up with growing demands

White House official: Next phase of zero trust will focus on operations

Login.gov announces availability for facial recognition technology

Top Stories

SSA database to flag synthetic identity fraud has cost issues, GAO finds

Data, talent, funding among top barriers for federal agency AI implementation

Government websites aren’t created equal. GSA’s 10x program aims to change that

Announcing the 2024 FedScoop 50

House Republicans probe NIST on facial recognition for federal digital identity verification

White House’s final ‘Trust Regulation’ aims to bolster confidence in federal statistics

CISA official: AI tools ‘need to have a human in the loop’

More Scoops

White House releases long-awaited FedRAMP modernization guidance for agencies, cloud service providers

OMB extends comment period for new FedRAMP guidance

Executive order gives GSA a lead role in executing the administration’s AI vision, Carnahan says

With draft guidance, OMB kickstarts effort to modernize FedRAMP for ‘today’s cloud challenges’

Federal cloud advisory committee sets public meetings to provide recommendations for FedRAMP

New FedRAMP guidance forthcoming as the cloud marketplace evolves

House Oversight leaders call for additional evidence in Login.gov scandal

Latest Podcasts

A look at next week’s hearing on unidentified anomalous phenomena

Login.gov launches facial recognition option; the White House issues final Trust Regulation

HHS is working on a new AI strategic plan; Budget woes for government’s science and technology efforts

Meet the winners of the 2024 FedScoop 50; And, how the DOE sees itself counteracting the AI industry’s ‘profit motive’

Tech

Defense

Cyber

FedScoop TV