FedRAMP office lacks mission clarity, watchdog says

The General Services Administration office in charge of governmentwide cloud security compliance doesn’t have a clear and concise enough mission and goals — and therefore it can’t adequately measure its effectiveness, according to an audit.

GSA’s inspector general found the Federal Risk Authorization and Management Program’s program management office “has not established an adequate structure comprising its mission, goals, and objectives for assisting the federal government with the adoption of secure cloud services.”

The IG, in a report, has recommended that the PMO revise its mission as “a concise, singular statement.”

As it stands, FedRAMP’s mission is expressed as a series of directives that far exceeds the brief, single sentence model suggested in the Office of Management and Budget’s Circular A-11.

“[T]he FedRAMP PMO’s mission statement is not presented in a way that is focused or easily communicated, creating confusion as to its central purpose and vision of what needs to be accomplished,” the inspector general’s audit says.

It may seem trivial to audit an organization’s mission statement, but the GSA IG believes that “without the proper alignment of the mission, goals, and objectives, the FedRAMP PMO’s ability to assess its effectiveness is inhibited.”

GSA Federal Acquisition Service Commissioner Alan Thomas agreed: “While we believe FedRAMP does have a strong mission, goals, and objectives, we appreciate the OIG’s recommendations for further clarity. We understand the importance of making these mission statements, goals, and objectives clearer for our stakeholders and the importance of strong accountability in measuring program effectiveness.”

The audit also found the office’s objectives aren’t specific or measurable, “hindering the understanding of what is to be accomplished and the effective communication of program results. Objective statements should be specific and measurable to assist in assessing performance.”

Finally, the IG also found the alignment of the mission, goals and objectives is not strong enough.

In addition to revising its mission, the IG recommends FedRAMP should create more specific and measurable goals and better align them with that new mission.