Cloud Security: Federal Authorization Program Usage Increasing, but Challenges Need to Be Fully Addressed
Fast Facts
The Office of Management and Budget established the FedRAMP program to authorize secure cloud services for federal use.
From 2019-23, agencies increased FedRAMP use—authorizations were up 60%. But some agencies reported using services that weren't FedRAMP-authorized. OMB still hasn’t fully implemented our previous recommendation to monitor program use.
OMB is proposing new guidance that aims to help reduce the cost of pursuing FedRAMP authorizations. Some cost estimates are available and widely varied, but actual costs are unclear—so OMB may not have the information it needs for this effort. Our 3 recommendations address this and other issues.
Highlights
What GAO Found
The Office of Management and Budget (OMB) established the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach for authorizing the use of cloud services. From July 2019 to April 2023, the 24 Chief Financial Officers (CFO) Act agencies increased the number of authorizations by about 60 percent. These authorizations covered services ranging from a basic computer infrastructure to a more full-service model that included software applications. OMB requires agencies to use FedRAMP. However, nine agencies reported they were using cloud services that were not FedRAMP authorized. OMB has not yet implemented GAO's recommendation to adequately monitor agencies' compliance with the program.
Selected agencies and cloud service providers (CSP) provided estimated costs when pursuing FedRAMP authorizations; data on actual costs were limited. The estimated costs varied widely and ranged anywhere from tens of thousands to millions of dollars. This was due, in part, to the agencies and CSPs using varying methods to determine costs. A contributing factor to the varying methods was that OMB did not provide guidance on authorization costs to be tracked and reported. The lack of consistent cost data will also hamper OMB in determining whether its goal of reducing FedRAMP costs will be achieved.
The selected agencies and CSPs identified six key challenges that they faced in pursuing FedRAMP authorizations (see table).
Key Challenges Faced by Agencies and Cloud Service Providers (CSP) When Pursuing Federal Risk and Authorization Management Program (FedRAMP) Authorizations
|
Challenges |
Description |
|---|---|
|
Receiving timely responses from stakeholders |
Agencies and CSPs reported that they had issues with receiving timely responses from stakeholders throughout the authorization process. |
|
Sponsoring CSPs that were not fully prepared |
Agencies reported that CSPs did not fully understand the FedRAMP process and lacked complete documentation. |
|
Lacking sufficient resources |
Agencies reported that they lacked the resources (e.g., funding and staffing) needed to sponsor an authorization. |
|
Meeting FedRAMP technical and process requirements |
CSPs reported that they had to update the infrastructure to meet federal security requirements. |
|
Finding an agency sponsor |
CSPs reported that finding an agency sponsor was difficult. |
|
Engaging with third-party assessment organizations (3PAO) |
CSPs reported that they faced issues (e.g., lack of consistency) when engaging with organizations that were responsible for performing independent assessments of their cloud services—3PAOs. |
Source: GAO analysis. | GAO24106591
In acknowledging these challenges, OMB and the FedRAMP program management office in the General Services Administration (GSA) already have efforts underway to address them. For example, OMB released proposed new FedRAMP guidance for public comment in October 2023. GSA also intends to, among other things, issue guidance on meeting certain technical requirements. However, OMB and GSA have not finalized these guidance documents or announced a schedule for doing so. As a result, agencies and CSPs may continue facing challenges, leading to additional costs to pursue authorizations.
Why GAO Did This Study
OMB established the FedRAMP program in 2011. Managed by GSA, FedRAMP aims to ensure that cloud services have adequate information security while also reducing operational costs. To accomplish this goal, FedRAMP established a standardized process for authorizing CSPs' cloud services.
The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review the status of the FedRAMP program. GAO's objectives were to identify (1) the frequency and types of services agencies have used under FedRAMP; (2) the amounts of costs incurred by selected agencies and CSPs in pursuing FedRAMP authorizations; and (3) the key challenges selected agencies and CSPs face in the authorization process and determine the extent to which GSA and OMB have taken actions to address them.
GAO analyzed questionnaire responses from six selected CFO Act agencies and 13 selected CSPs. GAO selected these agencies and CSPs based on several factors, including the number of authorizations agencies had sponsored, the authorization path used by the CSPs, and whether a CSP was a small business. GAO also reviewed GSA and OMB data and interviewed appropriate agency and CSP officials.
Recommendations
GAO is making three recommendations, two to OMB and one to GSA, to finalize efforts to address challenges related to FedRAMP. GSA agreed with its recommendation and OMB did not comment on the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | 1. The Director of OMB, in collaboration with the FedRAMP PMO, should issue guidance to agencies to ensure that they consistently track and report the costs of sponsoring a FedRAMP authorization of cloud services. (Recommendation 1) |
In October 2023, OMB published proposed guidance for public comment to modernize the FedRAMP program, as required by the FedRAMP Authorization Act (44 U.S.C. ? 3608-3616). The proposed guidance calls for the FedRAMP program management office and the FedRAMP board to seek feedback from industry on how to reduce the burden and cost of the FedRAMP authorization process for both federal agencies and cloud service providers. OMB requested that agencies report aggregated cloud security costs but did not ask agencies to separately track and report the specific costs for sponsoring the authorizations or provide them with guidance on how to track these costs. As a result, we recommended that OMB issue guidance to ensure agencies consistently track and report the costs of sponsoring a FedRAMP authorization. OMB did not comment on the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | 2. The Director of OMB should finalize and implement the proposed new FedRAMP guidance, to include addressing the challenges identified in this report. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| General Services Administration | 3. The Administrator of General Services should direct the Director of FedRAMP to develop a plan, including firm time frames, for issuing guidance on how CSPs can navigate the FIPS 140-3 cryptographic requirements. (Recommendation 3) |
GSA agreed with the recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|