Cybersecurity expert warns over foreign influence in Senate FedRAMP hearing

Chain Security CEO Jeff Stern says his company identified at least one case in which a FedRAMP assessor was operated by a foreign entity.
WASHINGTON, DC - AUGUST 02: The U.S. Capitol Dome is illuminated by the sunset on August 02, 2021 in Washington, DC. The Senate has moved on to the amendments process this week for the legislative text of the $1 trillion infrastructure bill, which aims to fund improvements to roads, bridges, dams, climate resiliency and broadband internet. (Photo by Anna Moneymaker/Getty Images)

A witness testifying at a Senate committee hearing over proposed FedRAMP reforms raised concerns Tuesday over foreign influence and called for stricter transparency requirements for third-party assessor organizations.

Jeff Stern, CEO of cybersecurity firm Chain Security, called for an expansion of the definition of system security boundaries and said his company had identified at least one case where a third-party assessment organization (3PAO) was owned by a foreign entity.

“We observed a case where one of the 3PAO organizations had already been through a Committee on Foreign Investment (CFIUS) process, where the organization was required to establish a mitigated subsidiary, but it was not using the subsidiary to conduct FedRAMP assessments,” said Stern.

Technology companies seeking to obtain FedRAMP approval to sell cloud services to federal agencies are required to engage a third-party assessor to inspect their product.


Stern’s testified during a roundtable hearing hosted by the Senate Committee on Homeland Security and Governmental Affairs ahead of legislative proposals that lawmakers are seeking to attach to the National Defense Authorization Act. His comments on foreign influence came after questions on the matter from Sen. Rob Portman, R-Ohio, who said he is seeking to ensure language in the new proposed legislation restricts foreign influence.

Stern added: “At the very least, a user at the Department of Defense and the Department of Homeland Security should be able to know how much code in a product was written overseas.”

Testifying alongside Stern at the hearing, Ashley Mahan, acting assistant commissioner at the General Services Administration’s Technology Transformation Services and former head of the FedRAMP program at GSA, noted that under FedRAMP, any system that handles sensitive and unclassified data must be based within the U.S.

“There are geolocation restrictions to the U.S and territories within U.S. jurisdiction,” said Mahan.

This article was updated to clarify that under FedRAMP any system that handles sensitive and unclassified data must be based within the U.S.

John Hewitt Jones

Written by John Hewitt Jones

John is the managing editor of FedScoop, and was previously a reporter at Institutional Investor in New York City. He has a master’s degree in social policy from the London School of Economics and his writing has appeared in The Scotsman and The Sunday Times of London newspapers.

Latest Podcasts