Most agencies don’t use the Federal Risk and Authorization Management Program to authorize all of their cloud services despite being required to do so statutorily, according to the Government Accountability Office.
The Office of Management and Budget established FedRAMP in 2011 as a required program to authorize and continuously monitor cloud service offerings across agencies. But 15 of 24 Chief Financial Officers Act agencies don’t always use FedRAMP and OMB doesn’t “effectively monitor” their compliance, GAO found in a report.
The General Service Administration, the agency that manages FedRAMP, lacks in its guidace as well, the report found.
“GSA took steps to improve the program, but its FedRAMP guidance on requirements and responsibilities was not always clear and the program’s process for monitoring the status of security controls over cloud services was limited,” reads the report. “Until GSA addresses these challenges, agency implementation of the program’s requirements will likely remain inconsistent.”
Between June 2017 and July 2019, FedRAMP authorizations of cloud services increased from 390 to 926 — 137%.
But GAO closely examined efforts at the Department of Health and Human Services, GSA, Environmental Protection Agency, and U.S. Agency for International Development and found them missing “key elements” of the FedRAMP process.
Only USAID’s security plans addressed required information on control implementation and security assessment reports summarized results of control tests. None of the four agencies’ remedial action plans addressed required information. And only GSA prepared and provided cloud service authorizations to the FedRAMP Program Office.
Among the 15 CFO Act agencies not always using FedRAMP, one reported 90 unauthorized cloud services and the other 14 reported 157 unauthorized cloud services. GAO surveyed 47 cloud service providers and found 31 encountered agencies not using FedRAMP in fiscal 2017.
GAO recommended OMB enhance oversight, to which the agency has yet to respond. GSA agreed with GAO’s recommendations that it needs to improve guidance and monitoring.
HHS agreed with GAO’s findings and USAID generally agreed, but EPA generally disagreed arguing one system selected for review was not used in agency operations.