Countdown to America's 250th Anniversary:
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock
(
)
or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
June 8, 2026 Open Public Meeting Agenda
| Allotted Time | Topic | Presenter |
|---|---|---|
| 1-1:10 p.m. | Call to order Welcome and roll call FACA public meetings | Ryan Hoesing, Designated Federal Officer |
| 1:10-1:20 p.m. | Public comment (limit three minutes per speaker) | Members of the public |
| 1:20-1:25 p.m. | Chair remarks | Larry Hale, Federal Secure Cloud Advisory Committee Chair |
| 1:25-2:55 p.m. | Discussion topics:
| FSCAC membership |
| 2:55-3 p.m. | Closing remarks & adjourn | Larry Hale, Federal Secure Cloud Advisory Committee Chair Ryan Hoesing, Designated Federal Officer |
Ryan Hoesing opened the public meeting at 1:02 p.m. ET and confirmed that the meeting
was being held under the Federal Advisory Committee Act. The meeting was recorded,
and the recording and transcript will be posted to the GSA FSCAC webpage.
Ryan noted that FSCAC currently has 11 active appointed members and 3 vacancies:
Applications for open and upcoming seats were due by 5:00 p.m. ET on Friday, June 12, 2026.
A roll call was conducted, and all 11 active members were present. Quorum was
confirmed.
Ryan opened the floor for public comments. One public comment was made by Morgan
Kaplan, who thanked the committee for bringing the meeting to the community.
No other public comments were offered during the initial comment period.
Larry Hale welcomed committee members and the public, noting that FSCAC had not met
for some time. He emphasized that the purpose of the meeting was to:
Larry explained that 2026 FSCAC meetings would be shorter and more focused than prior meetings due to a smaller support team and a desire to concentrate on areas where the committee can add the most value.
Larry reminded members of the FSCAC charter which charges the committee with providing advice and recommendations to GSA on topics including:
For 2026, Larry proposed that FSCAC focus primarily on agency adoption and reuse of FedRAMP certifications.
Pete Waterman, FedRAMP Director, provided a broad update on FedRAMP’s
modernization efforts over the past year.
FedRAMP Communication and Community Engagement
Pete emphasized that FedRAMP has significantly expanded its communication with
stakeholders. He noted that FedRAMP now holds:
Pete stated that FedRAMP now communicates extensively with its stakeholder community and that FSCAC’s future value should be less about receiving briefings and more about producing recommendations and helping solve practical adoption issues.
Pete described the shift from legacy FedRAMP processes toward a more modern,
risk-based, automation-supported approach.
Key Points
Pete emphasized that FedRAMP is no longer intended to operate as a checkbox-based
compliance program. Instead, FedRAMP is working toward:
He stressed that agencies remain responsible for their own risk management decisions. FedRAMP certifications provide reusable assessment materials and security signals, but they do not replace agency responsibilities under applicable law, policy, or risk management requirements.
Pete provided several operational updates on the FedRAMP program.
FedRAMP currently has about 30 staff members and is working to hire approximately 15
federal staff. Pete noted hiring challenges, particularly because positions require full-time
in-office work in Washington, D.C.
FedRAMP expects to operate with a budget of roughly $10 million per year for the
foreseeable future.
Pete emphasized that prior recommendations simply calling for “more money” or “more
staff” are not especially actionable under current constraints.
Pete stated that although FedRAMP has fewer total staff than in prior years, it now has
more staff focused directly on technical reviews than before.
A major accomplishment was the elimination of the prior review backlog. Pete stated that
when he became FedRAMP Director in 2024, there were more than 100 systems in the
review backlog, with projected review timelines of 12 to 16 months.
FedRAMP now averages approximately 22 to 25 days for reviews and has maintained an
average of under 30 days.
FedRAMP has surpassed 500 certified services. Pete noted that FY 2025 saw a large
number of certifications due to clearing the backlog, while FY 2026 submissions have
slowed, partly because vendors are waiting for FedRAMP 20X.
Pete discussed FedRAMP 20X as the umbrella modernization initiative for FedRAMP.
FedRAMP 20X is intended to:
Pete said FedRAMP intends to eliminate the concept of an agency sponsor for new certifications under FedRAMP 20X. Cloud service providers will be able to come directly to FedRAMP with an independent assessment package.
Pete stated that FedRAMP expects to stop doing new FedRAMP Rev. 5 certifications around June 11, 2027, though the transition timeline for existing Rev. 5 certifications remains subject to further direction.
Pete described the emerging FedRAMP 20X certification structure:
FedRAMP plans to pilot a high-impact 20X path after finalizing the 2026 consolidated rules.
Pete highlighted the shift from Significant Change Requests to Significant Change Notifications.
Historically, cloud service providers often had to ask agencies for permission before making significant changes. FedRAMP has moved toward a model where CSPs notify agencies of significant security-impacting changes rather than seeking advance approval.
Pete noted that although industry had long requested this change, adoption has been slow. Fewer than a quarter of current FedRAMP-authorized CSPs had adopted the new process at the time of the meeting.
He suggested that reasons may include:
Pete emphasized that CSPs should look closely at their contracts and legal obligations. If contracts require compliance with current FedRAMP rules, CSPs may need to follow updated FedRAMP processes even if an agency requests legacy practices.
After Pete’s briefing, the committee discussed why agencies may still struggle to adopt and reuse FedRAMP certifications effectively.
Agency Understanding and Education
Several members said there is still confusion among agencies, CSPs, and assessors about what FedRAMP certification means and what agencies are still responsible for.
Members discussed the need for clearer education around:
Risk Acceptance and Agency Responsibility
Members emphasized that FedRAMP does not accept risk on behalf of agencies. Agencies must still understand their own use cases and risk environment.
The committee discussed the tension between:
Some members noted that agencies may hesitate to rely on FedRAMP packages if they do not understand the underlying risk, the security package, or how to interpret the materials.
Inspector General and Audit Community
Branko Bokan identified the Inspector General community as a major barrier. He suggested that agency behavior is often shaped by IG expectations and audit interpretations.
Members discussed the possibility of engaging with the Council of the Inspectors General on Integrity and Efficiency, or CIGIE, to help align understanding of FedRAMP modernization and reuse.
Tooling and GRC Systems
Bill Hunt and others discussed limitations in agency governance, risk, and compliance tools.
Key points included:
Acquisition and Contract Language
The committee discussed the need for better acquisition language and clearer contractual expectations.
Pete noted that CSPs should review what their contracts actually require. If contracts require compliance with FedRAMP rules, then CSPs should be able to point to those requirements when agencies request outdated practices.
CSP Ability to Push Back
Rex Booth noted that many CSPs, especially smaller providers, may be reluctant to push back on agencies even when agencies are not following FedRAMP guidance. Vendors may fear damaging customer relationships or risking contracts.
This led to discussion about whether FSCAC could produce materials that CSPs and 3PAOs could use to educate agencies without placing the entire burden on individual vendors.
Larry Hale asked the committee to focus on practical outputs FSCAC could produce in 2026.
Potential work products discussed included:
Agency Reuse Best Practices Document
A short guide explaining what good FedRAMP reuse looks like from an agency perspective.
Possible topics:
Audience-Specific FAQs
Members suggested creating targeted FAQs for different stakeholder groups, such as:
Topics could include:
IG/CIGIE Engagement
The committee discussed recommending engagement with the IG community to improve understanding of FedRAMP modernization and reduce audit-driven friction.
Acquisition Guidance
FSCAC could recommend practical acquisition language or principles to help agencies incorporate FedRAMP requirements more consistently in procurements.
Risk Evaluation Principles
The committee discussed whether FSCAC could help define common principles for how agencies evaluate risk in FedRAMP-certified offerings.
This would not eliminate agency discretion but could help reduce inconsistency and duplicative reviews.
Tooling and Automation Recommendations
Members discussed recommendations related to modern GRC tooling, structured data, OSCAL, JSON schemas, and automated ingestion of FedRAMP materials.
By the end of the meeting, several themes had emerged:
Larry Hale closed the discussion by noting several strong themes:
He stated that FSCAC leadership would review the meeting notes and identify focus areas for upcoming meetings.
Ryan Hoesing reminded participants that FSCAC has open seats, especially two agency CISO seats, and encouraged qualified individuals to apply.
The meeting was adjourned at approximately 3:01 p.m. ET.
The June 8, 2026 FSCAC meeting focused on resetting the committee’s work for 2026 and aligning around FedRAMP modernization, especially FedRAMP 20X and agency reuse of FedRAMP certifications. FedRAMP reported major progress in reducing review backlogs, increasing transparency, and moving toward modernized certification processes. The committee’s discussion centered on why reuse still breaks down, with major barriers including agency risk concerns, lack of shared understanding, audit/IG pressures, outdated tooling, inconsistent acquisition language, and reluctance by CSPs to push back on agency-specific demands. FSCAC is likely to focus future work on practical education materials, reuse best practices, IG engagement, acquisition guidance, and recommendations to improve automation and agency adoption
Certification of Chair
I hereby certify that, to the best of my knowledge, the foregoing minutes of the proceedings are accurate
and complete.
Digitally signed by: Lawrence Hale 6/11/2026 | 13:13;03 BST
Committee Members in Attendance
Larry Hale (Chair)
Branko Bokan
Victoria Yan Pillitteri
Bill Hunt
Patrick Breen
Lawrence Marnelli
Carlton Harris
Josh Krueger
Daniel Pane
Rex Booth
Adam Schneider
Committee Members Absent
None
Guest Speakers and Presenters
Pete Waterman - FedRAMP Director
GSA Staff Present
Ryan Hoesing
Marcia Simms
Nicole Thompson
Dan Chandler
Paul Agosta
William Hamilton
Thomas Phung
Members of the Public Present
Jason Barnard
Matthew Smagin
Kara Kirby
Rob Terrell
Kade Hennings
Corey Clements
Richard Johnson
Josh Krueger
Fred Brittain
Lee Neeper
Matt Hahn
John Smail
Morgan Kaplan
Justin Doubleday
Katie Digon
Hema Vyas
Meghan Guiney
Rex Booth
Kristine Lam
Michelle Coon
Samuel Fisher
Don LeBert
Leopold Wildenauer
Vanshil Thakkar Saif Rahman
Kofi Adomako
Saumil Shah
Bhanu Jagasia
Irina Denisenko
Keaton Gallaher
Cara Hagan
Adrienne Barker
Christian Baer
Jason Nguyen
Frank Csech
Nate Waddell
Jeff Growe
Tara Dunlop
Error, The Per Diem API is not responding. Please try again later.
No results could be found for the location you've entered.
Rates for Alaska, Hawaii, and U.S. territories and possessions are set by the Department of Defense.
Rates for foreign countries are set by the Department of State.
Rates are available between 10/1/2023 and 09/30/2026.
The End Date of your trip can not occur before the Start Date.
Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.
Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."
Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."
When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.
U.S. General Services Administration