The Federal Risk and Authorization Management Program (FedRAMP) saw a spike in authorizations from 2017 to 2019, but the program is still not used in all cloud acquisitions and agencies have gaps in implementing controls, according to a report from the Government Accountability Office (GAO) released December 12.
The report, which tracked the time period from June 2017 to July 2019, found that the number of authorizations through FedRAMP increased from 390 to 926 and that all 24 CFO Act agencies participated in the program. Authorizations increased over 100 percent for both agency-sponsored solutions and cloud offerings that went through the Joint Authorization Board approval process. A majority of these authorizations (56 percent) were granted for software-as-a-service offerings, with infrastructure-as-a-service (26 percent) and platform-as-a-service (18 percent) seeing fewer use cases at agencies.
However, GAO found that 15 agencies were still using cloud offerings not authorized through FedRAMP, and 31 out of 47 cloud service providers surveyed noted that agencies had used their non-FedRAMP approved offerings during surveys conducted in 2018.
Agencies offered multiple reasonings, including the FedRAMP process being too expensive and laborious. Agencies also identified problems finding cloud solutions that comply with the Trusted Internet Connections (TIC) policy and finding contractors who meet the FIPS 140-2 encryption standard. The FedRAMP program management office (PMO) highlighted the misperceptions around the program, as well as internal resource constraints. Cloud service providers highlighted the authorization process and time required to authorization.
GAO noted that the FedRAMP PMO has improved in recent years, but highlighted agency desires for more guidance and limited ability to implement continuous monitoring controls.
GAO also put the spotlight on the Office of Management and Budget’s (OMB’s) oversight of agencies and their usage of the program.
“OMB has issued a number of policies encouraging agencies to adopt cloud computing solutions and requiring agencies to use FedRAMP for authorizing cloud services. Nevertheless, OMB has not monitored agencies’ compliance or held agencies accountable for complying with the requirement to ensure that agencies are using the program to authorize their cloud services,” the report states.
GAO also took an in-depth look at how four agencies implemented their authorization plan, finding gaps in 24 selected security controls.
“Although the four selected agencies included key documents supporting FedRAMP’s authorization process, they did not consistently include key information in those documents,” the report found.
GAO recommended that OMB establish a process to monitor agency usage of FedRAMP, that the FedRAMP PMO clarify guidance and improve continuous monitoring capabilities, and that the four agencies address their implementation gaps. OMB did not agree or disagree, the FedRAMP PMO concurred with the recommendations, and three of the four identified agencies mostly agreed with GAO’s recommendations.