The General Services Administration (GSA) and Office of Management and Budget (OMB) need to collect consistent cost data so they can provide a cost estimate to Federal agencies and cloud service providers (CSPs) pursuing Federal Risk and Authorization Management Program (FedRAMP) authorizations, according to the Government Accountability Office (GAO).
The FedRAMP program is administered by GSA and provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.
David Hinchman, a director of IT and cybersecurity at GAO, explained today that a January GAO report talked about the issue of cost uncertainty within FedRAMP.
“Up to this point, OMB and GSA have not really captured a lot of effective data on the cost of obtaining the FedRAMP authorization, which I think is super important to note,” Hinchman said during the Sept. 25 Data Security Workshop hosted by Nextgov/FCW and Route Fifty.
“If you’re going to tell agencies, this is a really important program, we need you to get on board we want you to use this program, a big part of that is being able to manage the expectation [by saying,] ‘Hey, this is what it’s going to cost,’” Hinchman added.
The Federal government’s budget process is a complex one. Hinchman explained that not being able to provide a FedRAMP cost estimate to a chief financial officer can be a “huge” roadblock to securing funding for a cloud product or service.
“I think that obtaining that cost data and recording it so that agencies have a sense of what it’s going to cost is going to be hugely important,” he said. “The lack of this consistent cost aid is really going to inhibit FedRAMP adoption moving forward.”
“We have a recommendation to OMB to tackle this, and we’ll see what happens with the changes in their program that just got rolled out, and if that changes over the next couple of years,” Hinchman concluded.
GAO’s recommendation calls on the director of OMB to issue guidance to agencies to ensure that they consistently track and report the costs of sponsoring a FedRAMP authorization of cloud services.
Nevertheless, as Hinchman pointed out, FedRAMP has undergone big changes this year, publishing a new roadmap in March detailing how the program will evolve in 2024 and 2025.
Last month, the White House’s Office of Management and Budget (OMB) released long-awaited guidance to overhaul FedRAMP, replacing the policy created for the program when it began in 2011. The guidance aims to reduce pain points and bolster FedRAMP’s role as a cornerstone of Federal cloud security.
