top of page
1248830425-huge.jpg

News and Publications

CSP-AB responds to Commerce Dept Proposals on Malicious Cyber -enabled Activities

April 2024
download (10).png
hand-writing-vector-1429278.jpg

The Executive order of January 19, 2021, “Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities,” directs the Secretary of Commerce (Secretary) to propose regulations requiring U.S. IaaS providers to verify the identity of their foreign customers, along with procedures for the Secretary to grant exemptions; and authorize special measures to deter foreign malicious cyber actors' use of U.S. IaaS products. The Executive order of October 30, 2023, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” further directs the Secretary to propose regulations that require providers of certain IaaS products to submit a report to the Secretary when a foreign person transacts with that provider or reseller to train a large Artificial Intelligence (AI) model with potential capabilities that could be used in malicious cyber-enabled activity.

 

This notice of proposed rulemaking (NPRM) from The Department of Commerce looks to solicit comment on proposed regulations to implement those Executive orders.

The CSP-AB welcomes the opportunity to respond to the Proposal. However, while we share the U.S. Government’s goal of advancing national security objectives, including deterring foreign malicious cyber actors, we have concerns that the Proposal may prove ineffective in satisfying stated objectives, conflict with essential data privacy and security principles that underpin American technological leadership, and face practical and workability challenges. Further, we are concerned that the impact on IaaS providers is significant without demonstrating the commensurate benefits that the new requirements would bring about. 


In summary:

  • The CSP-AB is concerned that imposing overbroad, prescriptive bank-like Know Your Customer (KYC) requirements, as put forward in the Proposal, is impractical and burdensome, and is unlikely to enhance national security or cyber defenses. In particular, we  urge reconsideration of overbroad identity verification requirements that will prove unworkable and detract resources from more effective measures to combat malicious actors. 

  • The CSP-AB considers the proposed definition of foreign ownership to be unduly broad. As a minimum, we encourage alignment with the Office of Foreign Assets Control (OFAC) standards.

  • The CSP-AB urges the Department to focus on the development of requirements related to Abuse of IaaS Products Deterrence Programs (ADPs) instead of an overbroad CIP Rule; additionally, whether as a standalone ADP requirement or exception from the CIP Rule, CSP-AB suggests using FedRAMP as a baseline for ADP requirements to avoid duplication or fragmentation of such standards.

  • The requirements related to reporting of large AI model training present significant concerns for CSPs, as among other things, it would contradict the FedRAMP shared responsibility model and privacy standards. We urge the Department to bifurcate consideration of AI reporting to a separate process and dialogue with the private sector.

See our full response here.

CSP responds to FAR cases 2021-017 and 2021-019
February 2024

hand-writing-vector-1429278.jpg

The CSP-AB welcomes the Administration’s implementation of Executive Order 14028 Improving the Nation’s Cybersecurity (“the E.O.”) through the Federal Acquisition Regulation. In effectuating Section 2 of the EO, Federal Acquisition Regulation (FAR) Cases 2021-017 and 2021-019 implement new, burdensome regulatory guidance on information technology companies who are already meeting a high security and compliance bar across the federal marketplace. 

We recommend that the FAR Council leverage FedRAMP accreditation for software providence disclosures and generally focus on implementing the Administration’s goal of regulatory harmonization when considering whether to levy net-new burdens on government contractors. 

See our full response here.

CSP-AB response to OMB Memo on FedRAMP Modernization
December 2023

download (1).jpeg

The CSP-AB has responded to OMB's document "Request for Comments on Updated Guidance for Modernizing the Federal Risk Authorization Management Program (FedRAMP)". The CSP-AB welcomes the updated Guidance from the Office of Management and Budget (OMB) regarding the vision, scope and structure of the Federal Risk Authorization Management Program (FedRAMP).  We applaud the OMB for revising its timetable to ensure a robust and transparent consultation process with industry. We are excited about the possibilities that FedRAMP reform could hold, and urge OMB to be bold but judicious as it evolves the program to ensure Cloud Service Providers (CSPs) with existing authorizations are not penalized by the new changes and that velocity of federal cloud adoption does not slow down.

See our full response here.

Oracle becomes the latest member to join the CSP-AB
September 2023

The CSP-AB is delighted to welcome Oracle as its newest member.

Oracle offers a complete enterprise cloud designed to modernize businesses. Oracle’s products and services include enterprise applications and infrastructure offerings that are delivered worldwide through a variety of flexible and interoperable IT deployment models. Oracle’s customers include businesses of many sizes, government agencies, educational institutions, and resellers.

CoalfireLogo-Reg_Color-CMYK.png

FIPS for the Future

July 26, 2023

The CSP-AB, in partnership with Coalfire, has published a white paper which looks at the challenges of the current Federal Information Processing Standards and proposes solutions for the future.
 

Validated conformance testing against the Federal Information Processing Standards (FIPS) specification gives important assurances to end-users. The most recent update of FIPS 140 incorporates testing methodology from the International Organization for Standardization (ISO) to validate cryptographic modules, further enhancing the security protections for end-users. However, while FIPS 140 is crucial and critical, the process of validation has been long, complex, and further complicated by delays. 


This paper outlines some of the challenges and proposes solutions to improve the FIPS Cryptographic Module Validation Program (CMVP) validation process, and some of the methods by which vendors and consumers interact with the validation process. Several ideas are provided to improve the process in which cryptographic modules (CMs) are validated and reported, with the intention to make improvements without lowering the standard of quality or security, which is integral to ensure the effectiveness of cryptography and risk management.  


The primary recommendation is to create a recommended order of implementations for downstream certifications that indicates modules should be used in a specific order of preference. 
 

 

On April 27, CISA released a 60-day Request for Comment to solicit public feedback on a draft self-attestation form. CISA developed this draft form in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF).

Our officially posted response can be seen here.

download (7).png

CSP-AB responds to CISA Request for Comment on Secure Software Self-Attestation Common Form

GSA announces FSCAC membership, including CSP-AB founding member Google

On May 12, the General Services Administration named 14 representatives from public and private sectors as inaugural members of the Federal Secure Cloud Advisory Committee (FSCAC).

 

The FSCAC will advise and provide recommendations to the GSA Administrator, the Federal Risk and Authorization Management Program (FedRAMP) Board, and federal agencies on technical, financial, programmatic, and operational matters regarding securely adopting cloud computing products and services.

 

Among the four representatives selected from unique businesses that primarily provide cloud computing services/products, the CSP-AB founding member Google was selected.

 

We are delighted to see the GSA announce membership of FSCAC; this is an important first step in advancing FedRAMP modernization for all CSPs” said Laura Navaratnam, Executive Director of the Cloud Service Providers-Advisory Board. “We look forward to seeing what the Committee will focus on first, and stand ready to assist the GSA as needed”.

The CSP-AB launches as a Trade Association

March 2023

The Cloud Service Providers - Advisory Board (CSP-AB) represents the world’s leading cloud companies and supports standards and policies that promote and enable secure cloud adoption in the public and private sectors. Our 12 founding member companies are global leaders in the drive to provide safe, scalable, and accredited digital government services, with a focus on both the civil servants delivering those services and the end-users receiving them.

At the end of 2022, the CSP-AB reflected on its continued expansion, and the commensurate growth in engagement opportunities that this brings about. As such, we are delighted to announce our launch as a Trade Association. This will ensure the CSP-AB is structured for success; by formalizing and professionalizing the CSP-AB, the group can maximize impact, while advancing sound organizational governance.

Lookout joins the CSP-AB

October 2022

 

 

Lookout is the leader in delivering integrated endpoint-to-cloud security. With a cloud-delivered platform, Lookout secures data for the world’s leading enterprises and ensure they comply with regulations while respecting the privacy of their team who now work anywhere.

download (1).png

Zscaler joins the CSP-AB

August 2022

By leveraging the largest security cloud on the planet, Zscaler anticipates, secures, and simplifies the experience of doing business for the world's most established companies.

fedramp.png

PMO Releases Subnetting White Paper

July 2022

NIST control SC-7 for Boundary Protection relies in large part on subnetworks (subnets), specifically subnet segmentation around “publicly accessible” components. This white paper, entitled “Subnets White Paper”, provides guidance on how NIST control SC-7 will be evaluated in documentation submitted for a FedRAMP authorization. Cloud Service Providers and Third Party Assessment Organizations can reference this white paper when developing documentation and for information on following topics:

 

  • What are subnets and how should they be segmented,

  • What constitutes “publicly accessible”, and

  • FedRAMPs upcoming process to develop future guidance when applying this control to software defined networks.

 

For more information, read the full Subnetting white paper on FedRAMP.gov.


FedRAMP is looking for continued engagement on this issue, in particular through the CSP-AB SC-7 working group. If you would like to get involved, please contact us at info@csp-ab.com.

bottom of page