A witness testifying at a Senate committee hearing over proposed FedRAMP reforms raised concerns Tuesday over foreign influence and called for stricter transparency requirements for third-party assessor organizations.
Jeff Stern, CEO of cybersecurity firm Chain Security, called for an expansion of the definition of system security boundaries and said his company had identified at least one case where a third-party assessment organization (3PAO) was owned by a foreign entity.
“We observed a case where one of the 3PAO organizations had already been through a Committee on Foreign Investment (CFIUS) process, where the organization was required to establish a mitigated subsidiary, but it was not using the subsidiary to conduct FedRAMP assessments,” said Stern.
Technology companies seeking to obtain FedRAMP approval to sell cloud services to federal agencies are required to engage a third-party assessor to inspect their product.
Stern’s testified during a roundtable hearing hosted by the Senate Committee on Homeland Security and Governmental Affairs ahead of legislative proposals that lawmakers are seeking to attach to the National Defense Authorization Act. His comments on foreign influence came after questions on the matter from Sen. Rob Portman, R-Ohio, who said he is seeking to ensure language in the new proposed legislation restricts foreign influence.
Stern added: “At the very least, a user at the Department of Defense and the Department of Homeland Security should be able to know how much code in a product was written overseas.”
Testifying alongside Stern at the hearing, Ashley Mahan, acting assistant commissioner at the General Services Administration’s Technology Transformation Services and former head of the FedRAMP program at GSA, noted that under FedRAMP, any system that handles sensitive and unclassified data must be based within the U.S.
“There are geolocation restrictions to the U.S and territories within U.S. jurisdiction,” said Mahan.
This article was updated to clarify that under FedRAMP any system that handles sensitive and unclassified data must be based within the U.S.