Skip to main content

FedRAMP—Ensuring Safe Use of Cloud Computing by Federal Agencies

Posted on September 01, 2020

Federal agencies increasingly use internet-based (cloud) services to fulfill their missions. However, those services pose cybersecurity risks when agencies don’t effectively implement related security controls.

The 2011 Federal Risk and Authorization Management Program (or FedRAMP) aims to standardize the approach for federal use of cloud services. The FedRAMP program establishes security requirements and guidelines that are intended to help secure cloud computing environments used by agencies, helping protect agencies’ data, which could include information used to support their missions such as protecting public health.

Today’s WatchBlog looks at the FedRAMP policies and how agencies’ compliance with policies are monitored.  

Office of Management and Budget monitoring lags 

OMB requires agencies to use the program, but we found that it didn’t effectively monitor agencies’ compliance. This makes it harder to ensure that cloud services agencies are meeting federal security requirements.

From the customer perspective, officials from almost half of the 24 federal agencies we surveyed said FedRAMP had improved their data security. Agencies also reported that the program’s process for monitoring the status of security controls over cloud services was limited. Specifically, continuous monitoring should be automated to ensure that agencies are getting real-time information on the security status of the services they use. Currently, agencies have to gather and assess much of these data manually.

The Homeland Security Information Network is one example of a federal system using cloud services.


Photo of the Department of Homeland Security's cybersecurity team


Enhanced guidance, improved cloud security recommended 

We recommended enhancing OMB oversight and improving the FedRAMP administrator’s guidance and monitoring. We also made specific recommendations to the FedRAMP administrator and the agencies in our review to help them improve cloud security and more.

Other GAO reports

Other GAO reports have discussed various aspects of FedRAMP, including Department of Agriculture data centers, federal agencies’ use of cloud computing and the Federal Communications Commission’s information security measures.

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to