News and Publications
CrowdStrike becomes the latest member to join the CSP-AB
October 2024
CrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies that drive modern enterprise. CrowdStrike secures the most critical areas of risk – endpoints and cloud workloads, identity, and data – to keep customers ahead of today’s adversaries and stop breaches.
SAP NS2 joins the
CSP-AB
October 2024
The CSP-AB is delighted to announce SAP NS2 as its latest member.
SAP National Security Services, Inc. (SAP NS2®) is an independent, U.S. subsidiary of SAP, a market share leader in enterprise resource management applications, supply chain management applications, procurement applications software, and travel and expense management software. SAP NS2 enables the secure adoption of U.S.-based, SAP cloud solutions with an enhanced deployment model that allows our customers to adhere to regulatory compliance requirements and protect their mission-critical workloads. With our secure cloud solutions, SAP NS2 powers SAP's intelligent enterprise for highly regulated customers.
Axon joins
the CSP-AB
September 2024
The CSP-AB is delighted to welcome Axon as its 14th member.
Axon, a global leader in public safety technology, has set a moonshot goal to reduce gun-related deaths between police and the public in the US by 50% by 2033. Through an integrated suite of hardware and cloud-based solutions—including TASER devices, body-worn and in-car cameras, digital evidence management, productivity software, and real-time operations tools—Axon is building the future of public safety. Trusted by federal, state, and local agencies, as well as international first responders and justice organizations.
CSP-AB responds to Cybersecurity and Infrastructure Department proposal on CIRCA
July 2024
The CSP-AB welcomes the opportunity to respond to this Cybersecurity and Infrastructure Security Agency Notice of Proposed Rulemaking regarding implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), specifically the statute’s covered cyber incident and ransom payment reporting requirements for covered entities.
The CSP-AB shares CISA’s objective of upholding and enhancing national security, and therefore we are supportive of the implementation of the CIRCIA reporting requirements to ensure early protections are in place to identify malicious cyber campaigns as well as longer-term threat trends. The CSP-AB also applauds CISA for extending the public comment period, reflecting the importance of, and interest in, this NPRM.
In order to best serve the Proposal’s objectives, however, we do believe that specific amendments are necessary, primarily regarding the definitions and the breadth of firms that may be captured.
See our full response here
CSP-AB responds to Commerce Dept Proposals on Malicious Cyber -enabled Activities
April 2024
The Executive order of January 19, 2021, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” directs the Secretary of Commerce (Secretary) to propose regulations requiring U.S. IaaS providers to verify the identity of their foreign customers, along with procedures for the Secretary to grant exemptions; and authorize special measures to deter foreign malicious cyber actors' use of U.S. IaaS products. The Executive order of October 30, 2023, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” further directs the Secretary to propose regulations that require providers of certain IaaS products to submit a report to the Secretary when a foreign person transacts with that provider or reseller to train a large Artificial Intelligence (AI) model with potential capabilities that could be used in malicious cyber-enabled activity.
This notice of proposed rulemaking (NPRM) from The Department of Commerce looks to solicit comment on proposed regulations to implement those Executive orders.
The CSP-AB welcomes the opportunity to respond to the Proposal. However, while we share the U.S. Government’s goal of advancing national security objectives, including deterring foreign malicious cyber actors, we have concerns that the Proposal may prove ineffective in satisfying stated objectives, conflict with essential data privacy and security principles that underpin American technological leadership, and face practical and workability challenges. Further, we are concerned that the impact on IaaS providers is significant without demonstrating the commensurate benefits that the new requirements would bring about.
In summary:
-
The CSP-AB is concerned that imposing overbroad, prescriptive bank-like Know Your Customer (KYC) requirements, as put forward in the Proposal, is impractical and burdensome, and is unlikely to enhance national security or cyber defenses. In particular, we urge reconsideration of overbroad identity verification requirements that will prove unworkable and detract resources from more effective measures to combat malicious actors.
-
The CSP-AB considers the proposed definition of foreign ownership to be unduly broad. As a minimum, we encourage alignment with the Office of Foreign Assets Control (OFAC) standards.
-
The CSP-AB urges the Department to focus on the development of requirements related to Abuse of IaaS Products Deterrence Programs (ADPs) instead of an overbroad CIP Rule; additionally, whether as a standalone ADP requirement or exception from the CIP Rule, CSP-AB suggests using FedRAMP as a baseline for ADP requirements to avoid duplication or fragmentation of such standards.
-
The requirements related to reporting of large AI model training present significant concerns for CSPs, as among other things, it would contradict the FedRAMP shared responsibility model and privacy standards. We urge the Department to bifurcate consideration of AI reporting to a separate process and dialogue with the private sector.
See our full response here.
CSP responds to FAR cases 2021-017 and 2021-019
February 2024
The CSP-AB welcomes the Administration’s implementation of Executive Order 14028 Improving the Nation’s Cybersecurity (“the E.O.”) through the Federal Acquisition Regulation. In effectuating Section 2 of the EO, Federal Acquisition Regulation (FAR) Cases 2021-017 and 2021-019 implement new, burdensome regulatory guidance on information technology companies who are already meeting a high security and compliance bar across the federal marketplace.
We recommend that the FAR Council leverage FedRAMP accreditation for software providence disclosures and generally focus on implementing the Administration’s goal of regulatory harmonization when considering whether to levy net-new burdens on government contractors.
CSP-AB response to OMB Memo on FedRAMP Modernization
December 2023
The CSP-AB has responded to OMB's document "Request for Comments on Updated Guidance for Modernizing the Federal Risk Authorization Management Program (FedRAMP)". The CSP-AB welcomes the updated Guidance from the Office of Management and Budget (OMB) regarding the vision, scope and structure of the Federal Risk Authorization Management Program (FedRAMP). We applaud the OMB for revising its timetable to ensure a robust and transparent consultation process with industry. We are excited about the possibilities that FedRAMP reform could hold, and urge OMB to be bold but judicious as it evolves the program to ensure Cloud Service Providers (CSPs) with existing authorizations are not penalized by the new changes and that velocity of federal cloud adoption does not slow down.
See our full response here.
Oracle joins the CSP-AB
September 2023
The CSP-AB is delighted to welcome Oracle as its 13th member.
Oracle offers a complete enterprise cloud designed to modernize businesses. Oracle’s products and services include enterprise applications and infrastructure offerings that are delivered worldwide through a variety of flexible and interoperable IT deployment models. Oracle’s customers include businesses of many sizes, government agencies, educational institutions, and resellers.
FIPS for the Future
July 26, 2023
The CSP-AB, in partnership with Coalfire, has published a white paper which looks at the challenges of the current Federal Information Processing Standards and proposes solutions for the future.
Validated conformance testing against the Federal Information Processing Standards (FIPS) specification gives important assurances to end-users. The most recent update of FIPS 140 incorporates testing methodology from the International Organization for Standardization (ISO) to validate cryptographic modules, further enhancing the security protections for end-users. However, while FIPS 140 is crucial and critical, the process of validation has been long, complex, and further complicated by delays.
This paper outlines some of the challenges and proposes solutions to improve the FIPS Cryptographic Module Validation Program (CMVP) validation process, and some of the methods by which vendors and consumers interact with the validation process. Several ideas are provided to improve the process in which cryptographic modules (CMs) are validated and reported, with the intention to make improvements without lowering the standard of quality or security, which is integral to ensure the effectiveness of cryptography and risk management.
The primary recommendation is to create a recommended order of implementations for downstream certifications that indicates modules should be used in a specific order of preference.
On April 27, CISA released a 60-day Request for Comment to solicit public feedback on a draft self-attestation form. CISA developed this draft form in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF).
Our officially posted response can be seen here.
CSP-AB responds to CISA Request for Comment on Secure Software Self-Attestation Common Form
GSA announces FSCAC membership, including CSP-AB founding member Google
On May 12, the General Services Administration named 14 representatives from public and private sectors as inaugural members of the Federal Secure Cloud Advisory Committee (FSCAC).
The FSCAC will advise and provide recommendations to the GSA Administrator, the Federal Risk and Authorization Management Program (FedRAMP) Board, and federal agencies on technical, financial, programmatic, and operational matters regarding securely adopting cloud computing products and services.
Among the four representatives selected from unique businesses that primarily provide cloud computing services/products, the CSP-AB founding member Google was selected.
“We are delighted to see the GSA announce membership of FSCAC; this is an important first step in advancing FedRAMP modernization for all CSPs” said Laura Navaratnam, Executive Director of the Cloud Service Providers-Advisory Board. “We look forward to seeing what the Committee will focus on first, and stand ready to assist the GSA as needed”.
The CSP-AB launches as a Trade Association
March 2023
The Cloud Service Providers - Advisory Board (CSP-AB) represents the world’s leading cloud companies and supports standards and policies that promote and enable secure cloud adoption in the public and private sectors. Our 12 founding member companies are global leaders in the drive to provide safe, scalable, and accredited digital government services, with a focus on both the civil servants delivering those services and the end-users receiving them.
At the end of 2022, the CSP-AB reflected on its continued expansion, and the commensurate growth in engagement opportunities that this brings about. As such, we are delighted to announce our launch as a Trade Association. This will ensure the CSP-AB is structured for success; by formalizing and professionalizing the CSP-AB, the group can maximize impact, while advancing sound organizational governance.
Lookout joins the CSP-AB
October 2022
Lookout is the leader in delivering integrated endpoint-to-cloud security. With a cloud-delivered platform, Lookout secures data for the world’s leading enterprises and ensure they comply with regulations while respecting the privacy of their team who now work anywhere.
Zscaler joins the CSP-AB
August 2022
By leveraging the largest security cloud on the planet, Zscaler anticipates, secures, and simplifies the experience of doing business for the world's most established companies.
PMO Releases Subnetting White Paper
July 2022
NIST control SC-7 for Boundary Protection relies in large part on subnetworks (subnets), specifically subnet segmentation around “publicly accessible” components. This white paper, entitled “Subnets White Paper”, provides guidance on how NIST control SC-7 will be evaluated in documentation submitted for a FedRAMP authorization. Cloud Service Providers and Third Party Assessment Organizations can reference this white paper when developing documentation and for information on following topics:
-
What are subnets and how should they be segmented,
-
What constitutes “publicly accessible”, and
-
FedRAMPs upcoming process to develop future guidance when applying this control to software defined networks.
For more information, read the full Subnetting white paper on FedRAMP.gov.
FedRAMP is looking for continued engagement on this issue, in particular through the CSP-AB SC-7 working group. If you would like to get involved, please contact us at info@csp-ab.com.