The General Services Administration has denied a senator’s request to review documents Zoom submitted to have its software approved for use in the federal government.
The denial was in response to a letter sent by Democratic senator Ron Wyden to the GSA in May, expressing concern that the agency cleared Zoom for use by federal agencies just weeks before a major security vulnerability was discovered in the app.
Wyden said the discovery of the bug raises “serious questions about the quality of FedRAMP’s audits.”
Zoom was approved to operate in government in April 2019 after receiving its FedRAMP authorization, a program operated by the GSA that ensures cloud services comply with a standardized set of security requirements designed to toughen the service from some of the most common threats. Without this authorization, federal agencies cannot use cloud products or technologies that are not cleared.
Months later, Zoom was forced to patch its Mac app after a security researcher found a flaw that could be abused to remotely switch on a user’s webcam without their permission. Apple was forced to intervene since users were still affected by the vulnerabilities even after uninstalling Zoom. As the pandemic spread and lockdowns were enforced, Zoom’s popularity skyrocketed — as did the scrutiny — including a technical analysis by reporters that found Zoom was not truly end-to-end encrypted as the company long claimed.
Wyden wrote to the GSA to say he found it “extremely concerning” that the security bugs were discovered after Zoom’s clearance. In the letter, the senator requested the documents known as the “security package,” which Zoom submitted as part of the FedRAMP authorization process, to understand how and why the app was cleared by GSA.
The GSA declined Wyden’s first request in July 2020 on the grounds that he was not a committee chair. In the new Biden administration, Wyden was named chair of the Senate Finance Committee and requested Zoom’s security package again.
But in a new letter sent to Wyden’s office late last month, GSA declined the request for the second time, citing security concerns.
“GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.” Sen. Ron Wyden (D-OR)
“The security package you have requested contains highly sensitive proprietary and other confidential information relating to the security associated with the Zoom for Government product. Safeguarding this information is critical to maintaining the integrity of the offering and any government data it hosts,” said the GSA letter. “Based on our review, GSA believes that disclosure of the Zoom security package would create significant security risks.”
In response to the GSA’s letter, Wyden told TechCrunch that he was concerned that other flawed software may have been approved for use across the government.
“The intent of GSA’s FedRAMP program is good — to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software. But it’s vitally important that whichever agency conducts the review do so thoroughly,” said Wyden. “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”
Of the people we spoke with who have firsthand knowledge of the FedRAMP process, either as a government employee or as a company going through the certification, FedRAMP was described as a comprehensive but by no means an exhaustive list of checks that companies have to meet in order to meet the security requirements of the federal government.
Others said that the process had its limits and would benefit from reform. One person with knowledge of how FedRAMP works said the process was not a complete audit of a product’s source code but akin to a checklist of best practices and meeting compliance requirements. Much of it relies on trusting the vendor, said the person, describing it like “an honor system.” Another person said the FedRAMP process cannot catch every bug, as evidenced by executive action taken by President Biden this week aimed at modernizing and improving the FedRAMP process.
Most of the people we spoke to weren’t surprised that Wyden’s office was denied the request, citing the sensitivity of a company’s FedRAMP security package.
The people said that companies going through the certification process have to provide highly technical details about the security of their product, which if exposed would almost certainly be damaging to the company. Knowing where security weaknesses might be could tip off cybercriminals, one of the people said. Companies often spend millions on improving their security ahead of a FedRAMP audit but companies wouldn’t risk going through the certification if they thought their trade secrets would get leaked, they added.
When asked by GSA why it objected to Wyden’s request, Zoom’s head of U.S. government relations Lauren Belive argued that handing over the security package “would set a dangerous precedent that would undermine the special trust and confidence” that companies place in the FedRAMP process.
GSA puts strict controls on who can access a FedRAMP security package. You need a federal government or military email address, which the senator’s office has. But the reason for GSA denying Wyden’s request still isn’t clear, and when reached a GSA spokesperson would not explain how a member of Congress would obtain a company’s FedRAMP security package
“GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations,” said GSA spokesperson Christina Wilkes, adding:
GSA works closely with private sector partners to provide a standardized approach to security authorizations for cloud services through the [FedRAMP]. Zoom’s FedRAMP security package and related documents provide detailed information regarding the security measures associated with the Zoom for Government product. GSA’s consistent practice with regard to sensitive security and trade secret information is to withhold the material absent an official written request of a congressional committee with jurisdiction, and pursuant to controls on further dissemination or publication of the information.
GSA wouldn’t say which congressional committee had jurisdiction or whether Wyden’s role as chair of the Senate Finance Committee suffices, nor would the agency answer questions about the efficacy of the FedRAMP process raised by Wyden.
Zoom spokesperson Kelsey Knight said that cloud companies like Zoom “provide proprietary and confidential information to GSA as part of the FedRAMP authorization process with the understanding that it will be used only for their use in making authorization decisions. While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”
Zoom said it has “engaged in security enhancements to continually improve its products,” and received FedRAMP reauthorization in 2020 and 2021 as part of its annual renewal. The company declined to say to what extent the Zoom app was audited as part of the FedRAMP process.
Over two dozen federal agencies use Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection and the Executive Office of the President.