The use of cloud computing is up among federal agencies, but agencies frequently skirt Office of Management and Budget requirements to ensure those cloud solutions are authorized by the Federal Risk and Authorization Management program, according to the Government Accountability Office.
In an audit released Dec. 12, GAO said the General Services Administration’s FedRAMP office, which checks that cloud solutions meet government security requirements, increased the number of issued authorizations 137% from 2017 to 2019.
However, 15 of 24 CFO Act agencies GAO surveyed reported that they did not always use FedRAMP in selecting cloud services. One agency—which GAO did not name—reported that it used “90 cloud services that were not authorized through FedRAMP,” while the remaining 14 agencies reported using a total of 157 unauthorized cloud services.
The audit lists several explanations provided by agency officials regarding their decision not to use FedRAMP-authorized cloud offerings despite violating OMB policy.
“Officials from two of the agencies stated that they were unable to identify providers authorized through the program that could meet their unique needs,” the audit states. “An official from a third agency noted that the efforts to meet the program’s requirements were labor-intensive and that it was too expensive for the providers to become compliant with FedRAMP. In addition, that official stated that providers did not want to pursue FedRAMP compliance unless they had enough demand from federal customers.”
In its audit, GAO includes explanations provided by the FedRAMP program management office. The FedRAMP official indicated “agencies had misperceptions of the program, its process and resources required” for authorizations. The official added that some agencies may not use FedRAMP “because of internal resource constraints based on other competing agency priorities.”
GAO added another reason: OMB’s lack of oversight. Though OMB has issued a number of policies encouraging agencies to use both FedRAMP and cloud computing services, “OMB has not monitored agencies’ compliance or held agencies accountable for the requirement,” auditors wrote. While OMB collects data about the use of FedRAMP, it does not collect data “on the extent to which federal agencies are using cloud services authorized outside of the program or oversee agencies’ compliance.”
“Consequently, OMB may have less assurance that cloud services used by agencies meet federal security requirements,” the audit states.
To reverse the trend, GAO issued a recommendation to the OMB director to establish processes for monitoring and holding agencies accountable for using FedRAMP-authorized cloud services. GAO also made specific recommendations to four agencies—GSA, the Environmental Protection Agency, the United States Agency for International Development and Health and Human Services Department—which collectively did not consistently address key elements of the FedRAMP authorization process.
OMB did not agree or disagree with the recommendations, while GSA and HHS agreed, USAID generally agreed and EPA generally disagreed.