Federal agencies have increased their use of FedRAMP, a federal program for authorizing cloud services, but more work needs to be done to fully address issues, a government watchdog found.
In a new report, the Government Accountability Office said that while agency use of FedRAMP — the Federal Risk and Authorization Management Program — increased by about 60% between July 2019 and April 2023, the Office of Management and Budget and the General Services Administration, which the program operates under, still have work to do to alleviate challenges.
Several agencies, for example, disclosed that they used services that were not FedRAMP-authorized, despite an OMB requirement that all executive branch agencies use providers authorized by the program, the report said. That’s due in part to the absence of program oversight, GAO said.
“One reason that agencies have continued to use cloud services that are not FedRAMP authorized is that OMB has not adequately monitored agencies’ compliance with the program, as we recommended in our December 2019 report,” the report said. GAO has labeled that recommendation a priority.
FedRAMP was created in 2011 to give federal agencies a standard process to authorize secure cloud services across the federal government. However, many in the federal IT space — particularly those firms that wish to provide cloud services to agencies — have criticized the program for being too slow-moving, costly and inconsistently implemented, creating a barrier to entry for some commercial cloud companies. In the decade-plus since FedRAMP was created, there have been numerous attempts via operations, policy and law to reform and tweak the program.
The GAO report ultimately made three new recommendations. It said OMB should issue guidance on tracking the cost of sponsoring a FedRAMP authorization and finalize its proposed guidance. It also said that GSA should develop a plan for guidance on how cloud service providers can navigate a specific Federal Information Processing Standard (FIPS 140-3) requirement, which is needed for authorization.
According to the report, GSA agreed with its recommendation and OMB didn’t comment on its recommendations.
The watchdog acknowledged that OMB and the FedRAMP program management office within GSA have efforts underway to address some of the issues, including proposed guidance from OMB aimed at modernizing the program and FIPS guidance. But until each of those pieces of guidance is finalized, “the challenges may continue to increase the time spent and costs incurred when pursuing FedRAMP authorizations,” GAO said.
In a Thursday statement, Rep. Gerry Connolly, D-Va., who wrote the bipartisan FedRAMP Authorization Act, said he “welcomed” the report and is “encouraged by GAO’s finding that the guidance the Administration is developing pursuant to the FedRAMP Authorization Act will address the deficiencies in the program that GAO has identified.”
“I urge OMB and GSA to finalize relevant FedRAMP guidance and agency implementation plans as required by the legislation, which we fought hard to enact,” said Connolly, who serves as ranking member of the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
Among the issues GAO highlighted in the report were differences in how costs for FedRAMP authorizations are apprised. Its review of cost estimates from cloud services providers and agencies found variation “anywhere from tens of thousands to millions of dollars.” That’s partially the result of agencies and providers using different methods for the costs they included, the report said. It pointed to a lack of guidance.
“The varying methods were allowed as OMB had not provided agencies with guidance on what costs should be tracked and reported for pursuing authorizations,” the report said. “Accordingly, the lack of consistent data will prevent OMB from determining whether its goal of reducing FedRAMP costs will be achieved.”
The report also found that cloud services providers going through the FedRAMP authorization process had to change their encryption methods to adhere to a security requirement for those systems under the Federal Information Processing Standards, a set of IT requirements published by the National Institute of Standards and Technology. Cloud service providers need to comply with FIPS to achieve FedRAMP authorization, the report said.
According to the report, the acting director of FedRAMP said the program management office has draft guidance being reviewed by OMB that will address issues with the FIPS requirements but didn’t provide a timeline for issuing that guidance.