Federal Secure Cloud Advisory Committee bylaws
ARTICLE I
AUTHORITY
The Federal Secure Cloud Advisory Committee (hereinafter referred to as “the Committee” or “FSCAC”) is required under Section 5921(b) of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, (hereinafter referred to as “the Authority”). This committee is established in accordance with and operates under the provisions of the Federal Advisory Committee Act (FACA) (5 U.S.C. 10).
ARTICLE II
PURPOSE
FedRAMP is responsible for providing a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies. The FSCAC will examine FedRAMP operations and advise the GSA Administrator (hereinafter referred to as “the Administrator”), the FedRAMP Board, and agencies on how to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.
The purposes of the Committee are:
- To examine the operations of FedRAMP and determine ways that authorization processes can continuously be improved, including the following:
- Measures to increase agency reuse of FedRAMP authorizations.
- Proposed actions that can be adopted to reduce the burden, confusion, and cost associated with FedRAMP authorizations for cloud service providers.
- Measures to increase the number of FedRAMP authorizations for cloud computing products and services offered by small businesses concerns (as defined by section 3(a) of the Small Business Act (15 U.S.C. 632(a)).
- Proposed actions that can be adopted to reduce the burden and cost of FedRAMP authorizations for agencies.
- Collect information and feedback on agency compliance with and implementation of FedRAMP requirements.
- Serve as a forum that facilitates communication and collaboration among the FedRAMP stakeholder community.
ARTICLE III
Section 1.
MEMBERSHIP AND MEMBER RESPONSIBILITIES
Composition. In accordance with the Authority, the Committee shall be comprised of not more than fifteen (15) members, who will be appointed as either Representatives or Regular Government Employees (RGEs). Membership will consist of the following individuals:
i. The Administrator or the Administrator's designee, who shall be the Chair of the Committee.
ii. At least one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.
iii. At least two officials who serve as the Chief Information Security Officer within an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.
iv. At least one official serving as Chief Procurement Officer (or equivalent) in an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.
v. At least one individual representing an independent assessment organization.
vi. At least five representatives from unique businesses that primarily provide cloud computing services or products, including at least two representatives from a small business (as defined by section 3(a) of the Small Business Act (15 U.S.C. 632(a)).
vii. At least two other Government representatives as the Administrator determines to be necessary to provide sufficient balance, insights, or expertise to the Committee.
Section 2.
Appointment. Members will be appointed by the Administrator, in consultation with the Director of OMB. Members will be designated either as a Regular Government Employee (RGE) or Representative. Appointments are based on the person and cannot be transferred to another individual. Members may not designate another person to attend meetings, participate in discussions, or vote on committee matters on their behalf. If a member’s position or affiliation changes, the member must immediately notify the DFO. Additionally, if a member chooses to resign, he or she must submit the resignation in writing to the DFO.
Section 3.
Terms of Office. Each non-Federal member of the Committee shall be appointed for a term of 3 years, except that the initial terms for members may be staggered 1- , 2-, or 3-year terms to establish a rotation in which one-third of the members are selected each year.
Each Federal member of the Committee shall be appointed for a term of 3 years, except for the Chair. The Administrator or the Administrator’s designee shall be the Chair of the Committee. Any individual designated by the Administrator to serve as the Committee Chair may serve as such so long as the individual is a GSA employee.
Any member may not be appointed for more than 2 consecutive terms.
Section 4.
Ethics Clearance. GSA may require individuals to provide a Statement of Employment and Financial Interests for review by the Office of General Counsel.
Section 5.
Member Responsibilities.
A. Members are expected to attend committee meetings and participate in committee work. The DFO will recommend to the GSA Administrator, in consultation with OMB, that any member who is unable to fulfill his or her responsibility be removed from the Committee.
B. The DFO may recommend committee members for removal for reasons such as, but not limited to: missing two consecutive committee or subcommittee meetings; not participating in the Committee’s work; no longer meeting the committee member’s membership criteria per their appointment letter; and/or engaging in activities that are illegal or violate the restrictions on members’ activities.
Section 6.
Restrictions on Members’ Activities.
A. Members may not use this access to the Federal Government as a member of this Committee for the purpose of soliciting business for or otherwise seeking economic advantage for themselves, their companies, or their employers. Members may not use any non-public information obtained in the course of their duties as a member for personal gain or for that of their company or employer. Members must hold any non-public information in confidence, including but not limited to draft reports, draft letters, subcommittee materials, or other pre-decisional documents.
B. If a member becomes a Federally registered lobbyist while serving on the Committee, engages in activities that would warrant resignation during their membership term, and/or no longer meets the membership criteria as required by the bill, the member is required to report this information to the DFO immediately.
C. The Committee may provide advice to the Administrator on recommended legislative action. In their capacities as members of the Committee, individual members may not petition or lobby Congress for or against particular legislation or encourage others to do so.
D. Committee members do not have the authority to make statements as representative of the Committee to another government official or a member of the public, or if speaking outside the Committee structure at other forums or meetings. When referring to your membership on the Committee, Committee members may mention it along with their other roles, but it should not be given any more importance than the other roles.
ARTICLE IV
Section 1.
COMMITTEE ROLES
Chair. In accordance with the authority, the Chair of the Committee shall be the GSA Administrator or the GSA Administrator's designee. The Chair serves several roles, including but not limited to: Committee leader, meeting facilitator, team/consensus builder, liaison between the Committee and DFO, manager of Committee activities (including meetings) and timelines, key developer and integrator of Committee work products, and is generally the spokesperson for the Committee. The Chair:
a. Presides at advisory Committee and subcommittee meetings.
b. Directs and manages the work of the Committee or subcommittee during and in between committee meetings.
c. Works closely with the DFO to ensure committee activities serve the purpose of the FSCAC as provided in the authority, complies with the authority, the FACA, the FACA Final Rule in the Code of Federal Regulations, and GSA’s internal agency regulations regarding managing FACA Committees.
d. Certifies the accuracy of the minutes for each meeting within 90 calendar days to which the meeting relates.
e. Advises the public at the beginning of each meeting about the Committee’s rules on public participation.
f. Conducts each meeting in accordance with the approved agenda.
g. Facilitates committee member discussions to maintain focus on areas relevant to accomplishing the agenda and keeps members engaged.
h. Determines when comments are not germane, when it’s time to end the discussion, when a topic should be assigned to a subcommittee for further consideration, or when discussions should be tabled until the next meeting.
i. Coordinates how the work products/ recommendations of the Committee are organized, generated, and transmitted to the GSA Administrator.
Section 2.
Designated Federal Officer. The Administrator will designate a permanent full-time or part-time Federal employee to serve as the Designated Federal Officer (DFO). There may also be an Alternate DFO. The DFO:
a. Schedules all meetings of the Federal Secure Cloud Advisory Committee and its subcommittees.
b. Prepares and approves all meeting agendas.
c. Attends all committee and subcommittee meetings.
d. Adjourns any committee or subcommittee meetings after determining that adjournment is in the public interest.
e. Chairs meetings when directed to do so by the GSA Administrator.
The DFO is the central point of contact for the administrative operation of the Committee and its subcommittees, and is responsible for ensuring the Committee complies with the authority, the FACA, the FACA Final Rule in the Code of Federal Regulations, and GSA’s internal agency regulations regarding managing FACA Committees. The DFO works closely with committee members on administrative support needed for the duration of the Committee.
Section 3.
Subcommittee Chair. Subcommittees must be chaired or co-chaired by an FSCAC member. The Chair/Co-Chair of the Subcommittee:
a. Presides at advisory subcommittee meetings.
b. Directs and manages the work of the subcommittee during and in between subcommittee meetings.
c. Works closely with the DFO to ensure subcommittee activities serve the purpose of the FSCAC as provided in the authority, complies with the authority, the FACA, the FACA Final Rule in the Code of Federal Regulations, and GSA’s internal agency regulations regarding managing FACA Committees.
d. Certifies the accuracy of the minutes for each meeting within 90 calendar days to which the meeting relates.
e. Advises the public at the beginning of each meeting about the Committee’s rules on public participation.
f. Conducts each meeting in accordance with the approved agenda.
g. Facilitates subcommittee member discussions to maintain focus on areas relevant to accomplishing the agenda and keeps members engaged.
h. Determines when comments are not germane, when it’s time to end the discussion, when a topic should be brought to the Committee for further consideration, or when discussions should be tabled until the next meeting.
i. Coordinates how the work products/ recommendations of the subcommittee are organized, generated, and transmitted to the Committee.
ARTICLE V
MEETING PROCEDURES
The FSCAC will meet no fewer than three (3) times a year. Meetings shall occur as frequently as needed, called, and approved by the DFO. Meetings may be held either virtually, in-person, or a hybrid of in-person and virtually. Meetings will be formally structured and will be conducted in accordance with the requirements of the Committee charter and the Committee bylaws at all times.
Section 1.
Meeting Schedule and Call of Meetings. Additional meetings may be called by the DFO, or at the request of the Chair of the Committee in consultation with the DFO. The DFO must attend each meeting of the Committee and subcommittees. Committee and subcommittee meetings must be approved in advance by the DFO.
Section 2.
Agenda. Agendas for each committee and subcommittee meeting will be developed by the DFO in consultation with the respective Chair(s). The DFO is responsible for distributing the final agenda to the members. The DFO will also ensure that for each committee and subcommittee meeting, a summary of the agenda, and/or topics to be discussed, or the full agenda is published in the Federal Register a minimum of 15 calendar days in advance of the meeting date.
Section 3.
Quorum. A quorum of the Committee is required to transact committee business. A quorum is defined as half the Committee members plus one (1). The DFO will determine if a quorum is present prior to each meeting of the Committee. If a quorum does not exist, the meeting may continue, but the Committee may take no official action. Alternatively, the DFO may cancel the meeting at their discretion if the meeting does not have a quorum of the members present. The process to determine quorum at the Committee level will be followed at the subcommittee level.
Section 4.
Voting Procedures.
A. Any item presented to the Committee for a decision must be fully deliberated prior to a vote. A quorum of the Committee must be present to hold a vote. In order for a decision to pass, it must receive a majority of the total votes from the Committee.
B. Only Committee members present at a meeting may vote on a matter under consideration. No proxy votes will be allowed. All votes must be recorded in the minutes of the meeting.
C. The voting procedures at the Committee level will be followed at the subcommittee level.
Section 5.
Meeting Minutes. Meeting minutes will be prepared for each committee and subcommittee meeting and certified by the Chair within 90 calendar days of the meeting to which they relate. Once certified, the meeting minutes will be distributed to the members and posted to the Committee website.
The minutes will include a record of:
- The time, date, and place of the meeting;
- A list of all attendees, including members, staff, and the public;
- An accurate description of each matter discussed and the resolution, if any, made by the Committee;
- Copies of reports or other documents received, issued, or approved by the Committee; and
- An accurate description of public participation, including oral and written statements provided.
The DFO must ensure that the Chair certifies the minutes within 90 calendar days of the meeting to which they relate.
Section 6.
Open Meetings. Unless otherwise determined in advance, all meetings of the committee and subcommittees shall be open to the public and announced in the Federal Register at least 15 calendar days before the meeting. Members of the public may attend any meeting or portion of a meeting that is not closed to the public and may offer oral comment at such meetings as the agenda permits. Meetings may typically include a period for oral comments. Members of the public may submit written public comments throughout the life of the Committee. Federal Register notices will inform the public of the procedure for submitting a written or oral statement to the Committee. All materials provided to the Committee in preparation for a public meeting will be posted to the Committee's public website. Such materials, including any comments by members of the public, are part of the meeting record.
Section 7.
Closing Meetings. Advisory committee and subcommittee meetings may be closed or partially closed to the public based upon provisions of the Government in the Sunshine Act of 1976 (5 U.S.C. § 552b(c)). Where the DFO has determined in advance that discussions during a Committee or subcommittee meeting will involve a provision of the Government in the Sunshine Act (5 U.S.C. § 552b(c)), an advance notice of a closed meeting, citing the applicable exemptions of the Government in the Sunshine Act, will be published in the Federal Register. The notice may announce the closing of all or just a part of a meeting. If, during the course of an open meeting, matters inappropriate for public disclosure arise during discussions, the DFO or Chair will order such discussion to cease and will schedule it for a future meeting of the Committee that will be approved for closure. No meeting or portion of a meeting may be closed without prior written approval by the GSA Administrator and notice published in the Federal Register. Closed meetings can only be attended by the DFO, Committee members, Committee staff and, if applicable, presenters. Presenters must leave immediately after giving their presentations and answering any questions.
ARTICLE VI
EXPENSES AND REIMBURSEMENTS
Financial support for the Committee will be provided by GSA’s Technology Transformation Services (TTS). All expenditures associated with the Committee must be approved by the DFO in advance of being obligated. Members may be reimbursed for travel and per diem expenses for in-person meetings.
ARTICLE VII
ADMINISTRATION
The Federal Secure Cloud Advisory Committee (hereinafter referred to as “the Committee” or “FSCAC”) is required under Section 5921(b) of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, (hereinafter referred to as “the Authority”). This committee is established in accordance with and operates under the provisions of the Federal Advisory Committee Act (FACA) (5 U.S.C. 10).
ARTICLE VIII
SUBCOMMITTEES
Subcommittees may be created by the Committee, in consultation and with the approval of the DFO, as needed. Subcommittees will meet as deemed necessary by the subcommittee chairs, in consultation with the DFO. Subcommittees must report back to the parent committee and must not provide advice or work products directly to GSA. The Chair of the Committee may recommend members from the Committee to serve on a subcommittee. The Chair of the Committee may recommend to the DFO that appropriate non-FSCAC members be invited to serve on a subcommittee.
Subcommittees must report their deliberations, recommendations, and advice to the Committee for the full deliberation and discussion by the Committee. Subcommittees have no authority to make decisions on behalf of the Committee or GSA and may only report to the Committee.
ARTICLE IX
Section 1.
COMMITTEE REPORTS AND RECOMMENDATIONS
Committee and Subcommittee Report and Recommendation Procedures. All advice, reports, and recommendations by the Committee must be submitted in writing, through the DFO, to the Administrator. Advice, reports, and recommendations received by the Committee from a subcommittee must be fully discussed, deliberated, and voted on in an open meeting. Once subcommittee reports and recommendations have been accepted by the Committee, they become committee reports and recommendations. All Committee reports and recommendations transmitted to the GSA Administrator will include a cover letter, signed by the Committee Chair. All reports and recommendations approved by the Committee will be placed on the Committee’s public website.
Section 2.
Interim reports. The Committee may submit to the Administrator and Congress interim reports containing such findings, conclusions, and recommendations as have been agreed to by the Committee.
Section 3.
Annual reports. Not later than 540 days after the date of enactment of the authority, which is marked as June 14, 2024, and annually thereafter, the Committee shall submit to the Administrator and Congress a report containing such findings, conclusions, and recommendations as have been agreed to by the Committee.
ARTICLE X
BYLAWS APPROVALS AND AMENDMENTS
Amendments to the bylaws must be agreed to by a majority of the members present during a meeting with quorum. The DFO must ensure that all members receive a copy of a proposed amendment before any vote is taken. Amendments will become effective immediately upon approval unless another time is specified.
Date Approved: May 22, 2023