GSA Blocks Senator's Zoom Document Review

GSA Denies Senator's Request for Zoom Security Documents

The General Services Administration (GSA) has refused a senator’s petition to examine documentation submitted by Zoom in pursuit of software approval for federal government usage.

Senator Wyden's Concerns

This denial followed a May letter from Senator Ron Wyden, a Democrat, to the GSA. Senator Wyden voiced apprehension that the agency authorized Zoom for federal use shortly before a significant security flaw was identified within the application.

The discovered vulnerability, according to Wyden, casts “serious questions about the quality of FedRAMP’s audits.”

Understanding FedRAMP Authorization

Zoom achieved authorization to operate within the government in April 2019, having successfully completed the FedRAMP process. This program, overseen by the GSA, verifies that cloud services adhere to a standardized set of security protocols.

FedRAMP authorization is essential; without it, federal entities are prohibited from utilizing cloud products or technologies that haven’t received clearance.

Past Security Issues with Zoom

Subsequently, Zoom was compelled to address a flaw in its Mac application. A security researcher revealed this flaw could allow unauthorized remote activation of a user’s webcam. Apple intervened, even after users uninstalled the software, to mitigate the ongoing vulnerabilities.

As Zoom’s popularity surged during the pandemic, so did scrutiny. Technical analyses indicated that Zoom’s claimed end-to-end encryption was not fully implemented.

Request for the "Security Package"

Senator Wyden expressed “extremely concerning” feelings regarding the timing of the security bug discoveries after Zoom’s clearance. He requested access to the “security package” – the documentation Zoom submitted during the FedRAMP authorization process – to understand the basis for the GSA’s approval.

The GSA initially rejected Wyden’s request in July 2020, citing his lack of committee chairmanship. Following his appointment as chair of the Senate Finance Committee, Wyden renewed his request.

GSA's Second Denial

However, in a recent letter, the GSA again denied access, invoking security concerns.

The GSA stated the package contains “highly sensitive proprietary and other confidential information” crucial to maintaining the integrity of the Zoom for Government product and any government data it manages. Disclosure, they believe, would create “significant security risks.”

Concerns About Broader Software Security

In response, Senator Wyden conveyed to TechCrunch his worry that other potentially flawed software may have been approved for government use.

“The intent of GSA’s FedRAMP program is good – to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software,” Wyden explained. “But it’s vitally important that whichever agency conducts the review do so thoroughly.”

He added, “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”

The Nature of the FedRAMP Process

Individuals familiar with the FedRAMP process describe it as comprehensive, but not exhaustive. It represents a series of checks companies must meet to satisfy federal security requirements.

One source characterized the process as resembling a checklist of best practices and compliance requirements, relying heavily on vendor trust – an “honor system.” Another noted that FedRAMP cannot detect every vulnerability, a point underscored by recent executive action from President Biden aimed at modernizing the process.

Sensitivity of FedRAMP Security Packages

Most sources weren’t surprised by the denial, citing the sensitive nature of a company’s FedRAMP security package.

Companies provide detailed technical information about their product’s security during certification. Exposing this information could be detrimental, potentially revealing weaknesses to cybercriminals. Companies invest significantly in security improvements before audits, and wouldn’t risk the process if trade secrets were at risk.

Zoom's Position

Zoom’s head of U.S. government relations, Lauren Belive, argued that releasing the security package would “set a dangerous precedent that would undermine the special trust and confidence” companies place in FedRAMP.

The GSA maintains strict access controls, requiring a federal government or military email address. However, the rationale behind denying Wyden’s request remains unclear, and a GSA spokesperson declined to explain how a member of Congress could obtain the package.

GSA's Response

GSA spokesperson Christina Wilkes stated, “GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations.”

The GSA did not specify which congressional committee has jurisdiction or whether Wyden’s chairmanship suffices, nor did they address questions about the FedRAMP process’s effectiveness.

Zoom's Statement

Zoom spokesperson Kelsey Knight explained that cloud companies provide confidential information to the GSA with the understanding it will be used solely for authorization decisions.

“While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”

Zoom affirmed its commitment to security enhancements and received FedRAMP reauthorization in 2020 and 2021. The company declined to detail the extent of auditing during the FedRAMP process.

Widespread Zoom Usage

Over two dozen federal agencies currently utilize Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection, and the Executive Office of the President.