The General Services Administration has denied a request from a senator to review documents submitted to zoom for approval of software approved for use by the federal government. The denial came in response to a letter from Democratic Senator Ron Wyden to the GSA in May, expressing concern that the company had cleared Zoom for use by federal agencies just weeks before it discovered a major security vulnerability in the app.
Weiden said the discovery of the bug raises serious questions about the quality of FedRMP’s monitoring. Zoom was approved by the government in April 2019 after receiving its FedRMP approval, a program run by GSA that ensures that cloud services comply with a standard set of security requirements designed to make the service more stringent from some common threats. Without this approval, federal agencies may not use cloud products or technologies that have not been cleared.
A few months later, Zoom was forced to patch his Mac application after security researchers identified a bug that could misuse their user’s webcam to remove it without permission. Even after uninstalling Zoom, users were still vulnerable and Apple was forced to intervene.
As the epidemic spread and lockdowns took effect, the popularity of Zoom skyrocketed – as verified – by reporters who found Zoom with the technical analysis that the company had long claimed that Zoom was not really encrypted from start to finish. Wyden wrote to GSA that security bugs were discovered after Zoom’s clearance. In the letter, Senator GSA requested documents known as “Security Packages” to understand how and why the application was cleared as part of the Zoom FedRMP approval process.
The GSA rejected Wyden’s first request in July 2020 that he was not the chairman of the committee. In the new Biden administration, Wyden was nominated chairman of the Senate Finance Committee and re-requested for a Zoom security package. But in a new letter sent to Wyden’s office late last month, the GSA rejected the application for a second time, citing security concerns.
“The security package you requested contains highly sensitive proprietary and other confidential information regarding security-related to zoom for government products. It is important to maintain the integrity of this information protection proposal and any official data that can be hosted on it.”