Jennifer Franks, director of information technology and cybersecurity at the Government Accountability Office (GAO), is calling on the Office of Management and Budget (OMB) to develop a standardized definition of what the Federal Risk and Authorization Management Program (FedRAMP) costs and how government agencies should evaluate costs when moving their services into the cloud.
During an FCW Workshop centered around cloud security on Jan. 26, Franks pointed out that it’s “really challenging” for GAO to compare what these costs should look like at different agencies, especially when some agencies don’t even track their FedRAMP costs.
“We noticed that there was no consistent definition or application … of what FedRAMP costs and how those costs look from each agency’s perspective,” Franks said. “Several agencies manage it differently. Some track the cost and imply their IT staff and support. Some do not. Some just don’t track costs at all.”
In order to fix this issue, Franks said agencies should be given “a standardized definition of how to calculate the cost of FedRAMP,” along with a possible savings component for it.
By developing a standardized definition, Franks said it would create “a foundational baseline across the agencies, which would allow us to track the program performance, whether it’s delivering the expected value, or if not.”
Franks also noted that GAO previously recommended this to OMB in a 2019 report, asking OMB to consider “explicitly making some refinements on how government agencies should apply costs, evaluate costs, for moving their services into the cloud and using the FedRAMP services – at least on a quarterly basis.”
However, this recommendation to OMB remains open two years later, according to Franks. As of February 2021, GAO found that OMB had not yet taken any actions to implement the recommendation.