FedRAMP use grows, but not enough, GAO says
- By Derek B. Johnson
- Dec 17, 2019
Agency use of the Federal Risk and Authorization Management Program to secure cloud-based services has shot up over the past three years -- from 390 authorizations in June 2017 to 926 in June 2019, according to a survey of 24 federal agencies conducted as part of an audit by the Government Accountability Office. However, 15 of the 24 agencies surveyed reported that they used cloud services not authorized through FedRAMP.
Collectively, GAO identified 247 cloud services among the group that had not been certified, with a single agency accounting for at least 90. One cloud service provider reported at least 30 of its services being used across federal agencies that had yet to receive authorization.
That leaves parts of the government’s cloud infrastructure exposed as "risks arise when agencies and cloud service providers do not effectively implement security controls over cloud services."
"Weaknesses in these controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information," GAO wrote.
Agencies and FedRAMP program staff offered a variety of explanations for the gap.
Some said they were unable to find providers that both met unique unique needs and had their products certified. Others complained about excessive time, labor and costs associated with compliance, charges that have plagued the FedRAMP program since its inception, and ultimately prompted GSA to create FedRAMP Accelerated, a streamlined version of the program. That has helped to cut down the time to achieve authorizations to operate from an average of 24 months to 12, according to the program.
Another problem: there appears to be lax oversight from the agency in charge of monitoring compliance across the executive branch. While OMB has issued mandates and guidance around using FedRAMP, auditors found it was not collecting data from agencies to measure how extensively they were routing cloud services through the program, nor were they imposing accountability or consequences for agencies that fell short.
GAO made 25 separate recommendations. Chief among them was for the director of OMB to establish a process for monitoring agencies use of cloud services and establish accountability measures in instances where FedRAMP wasn't used. The other two dozen recommendations were directed at four agencies (GSA, Department of Health and Human Services, the Environmental Protection Agency and USAID) centered around strengthening internal protocols to ensure cloud projects get certified before they become a vulnerability.
In attached letters, GSA Administrator Emily Murphy, HHS Assistant Secretary for Legislation Sarah Arbes and USAID Assistant Administrator Frederick Nutt all expressed agreement with auditors' recommendations and outlined plans to make necessary changes.
EPA CIO Vaughn Noga, however, said his agency disagreed with four out of the five recommendations, and only partially agreed with one other, claiming the system GAO selected for review "was not in production and was not used for EPA operations."
OMB lawyers also provided comments that were not included in the report but paraphrased by auditors. The agency "neither agreed nor disagreed" with the recommendation, saying the mechanisms needed to enforce compliance do not exist. The OMB attorneys also apparently took issue with the way the audit was conducted, saying the use of surveys and interviews with various stakeholders represented more of a "perception" of the issue rather than an objective measurement of FedRAMP’s effectiveness.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.