Earlier this month, Sen Ossoff (D,GA) introduced S 3408,
the Federal Cloud Risk Management Improvements Act. The bill amends 44 USC
Chapter 36, Management and Promotion of Electronic Government Services, adding
a new §3607, Reporting regarding security of cloud computing products and
services. It would add an annual FedRAMP reporting requirement on the security measures
being employed to protect federal cloud computing usage.

Ossoff is a subcommittee chair in the Senate Homeland
Security and Governmental Affairs Committee to which this bill was referred for
consideration. This means that there should be sufficient influence to see this
bill considered in Committee. I see nothing that would engender any organized
opposition to the bill. I suspect that there would be substantial bipartisan
support for the bill. There is a good chance that this could be offered on the
Floor of the Senate under the unanimous consent process where it would be
subject to the political vagaries of the moment.

The definition of ‘cloud computing’ in SP
800-145
is certainly wide enough to encompass any number of operational
technology offerings, including access control, video monitoring and environmental
control systems.

The bill does not specify any specific security measures;
actually, it does not even require any security provisions be applied to
cloud-computing resources. The FedRAMP reporting requirement simply assume that
there will be security measures implemented. It remains for Congress to review
the reports and consider legislative measures to address any short comings. If
this bill were passed, it would be another instance of Congress kicking the can
down the proverbial road.

For more details about the reporting requirements in the
bill, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/s-3408-introduced
– subscription required.

Go to Source of this post
Author Of this post: PJCoyle

By admin