Monday, December 27, 2021

Review - S 3408 Introduced – Cloud Risk Management

Earlier this month, Sen Ossoff (D,GA) introduced S 3408, the Federal Cloud Risk Management Improvements Act. The bill amends 44 USC Chapter 36, Management and Promotion of Electronic Government Services, adding a new §3607, Reporting regarding security of cloud computing products and services. It would add an annual FedRAMP reporting requirement on the security measures being employed to protect federal cloud computing usage.

Ossoff is a subcommittee chair in the Senate Homeland Security and Governmental Affairs Committee to which this bill was referred for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing that would engender any organized opposition to the bill. I suspect that there would be substantial bipartisan support for the bill. There is a good chance that this could be offered on the Floor of the Senate under the unanimous consent process where it would be subject to the political vagaries of the moment.

The definition of ‘cloud computing’ in SP 800-145 is certainly wide enough to encompass any number of operational technology offerings, including access control, video monitoring and environmental control systems.

The bill does not specify any specific security measures; actually, it does not even require any security provisions be applied to cloud-computing resources. The FedRAMP reporting requirement simply assume that there will be security measures implemented. It remains for Congress to review the reports and consider legislative measures to address any short comings. If this bill were passed, it would be another instance of Congress kicking the can down the proverbial road.

For more details about the reporting requirements in the bill, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */