More agencies are using FedRAMP, but some are still going rogue

The Federal Risk and Authorization Management Program, a key vehicle used to certify cloud projects for cybersecurity, experienced some notable growing pains early on in terms of speed and agility, but has seen its usage shoot up over the past three years.

According to a survey of 24 federal agencies conducted as part of an audit by the Government Accountability Office, FedRAMP authorizations have jumped from 390 to 926 between June 2017 and June 2019. While that means hundreds of additional government cloud projects are being vetted for cybersecurity every year, the report makes clear that many of those same agencies are still going rogue.

Since 2014, the Office of Management and Budget has required executive branch agencies to use FedRAMP, run out of the General Services Administration, for all cloud projects. However, 15 of the 24 agencies surveyed reported that they used cloud services not authorized through FedRAMP.

Collectively, auditors identified 247 cloud services among the group that had not been certified, with a single agency accounting for at least 90. One cloud service provider reported at least 30 of their services used across federal agencies that had yet to receive authorization.

That leaves parts of the government’s cloud infrastructure exposed as "risks arise when agencies and cloud service providers do not effectively implement security controls over cloud services."

"Weaknesses in these controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information," GAO wrote.

Agencies and FedRAMP program staff offered a variety of explanations for the gap.

Some said they were unable to find providers who both met their unique needs and had their products certified. Others complained about excessive time, labor and costs associated with compliance, charges that have plagued the FedRAMP program since its inception. One program manager said "misperceptions" about the program’s bureaucracy are still common, and GSA eventually created FedRAMP Accelerated, a streamlined version of the program. That has helped to cut down the time to achieve authorizations to operate from an average of 24 months to 12, according to the program.

Another problem: there appears to be lax oversight from the agency in charge of monitoring compliance across the executive branch. While OMB has issued mandates and guidance around using FedRAMP, auditors found they were not collecting data from agencies to measure how extensively they were routing cloud services through the program, nor were they imposing accountability or consequences for agencies who fell short.

GAO made 25 separate recommendations. Chief among them was for the director of OMB to establish a process for monitoring agencies use of cloud services and establish accountability measures in instances where FedRAMP wasn't used. The other 24 recommendations were directed at four agencies (GSA, Department of Health and Human Services, the Environmental Protection Agency and USAID) centered around strengthening internal protocols to ensure cloud projects get certified before they become a vulnerability.

In attached letters, GSA Administrator Emily Murphy, HHS Assistant Secretary for Legislation Sarah Arbes and USAID Assistant Administrator Frederick Nutt all expressed agreement with auditors recommendations and outlines plans to make necessary changes.

EPA Chief Information Officer Vaughn Noga, however, said his agency disagreed with four out of the five recommendations, and only partially agreed with one other, claiming the system GAO selected for review "was not in production and was not used for EPA operations."

OMB lawyers also provided comments that were not included in the report but paraphrased by auditors. The agency "neither agreed nor disagreed" with the recommendation, saying the mechanisms needed to enforce compliance do not exist. The OMB attorneys also apparently took issue with the way the audit was conducted, saying the use of surveys and interviews with various stakeholders represented more of a "perception" of the issue rather than an objective measurement of FedRAMP’s effectiveness.