Federal agencies increasingly use internet-based (cloud) services to fulfill their missions. However, those services pose cybersecurity risks when agencies don’t effectively implement related security controls.
The 2011 Federal Risk and Authorization Management Program (or FedRAMP) aims to standardize the approach for federal use of cloud services. The FedRAMP program establishes security requirements and guidelines that are intended to help secure cloud computing environments used by agencies, helping protect agencies’ data, which could include information used to support their missions such as protecting public health.
Today’s WatchBlog looks at the FedRAMP policies and how agencies’ compliance with policies are monitored.
Office of Management and Budget monitoring lags
OMB requires agencies to use the program, but we found that it didn’t effectively monitor agencies’ compliance. This makes it harder to ensure that cloud services agencies are meeting federal security requirements.
From the customer perspective, officials from almost half of the 24 federal agencies we surveyed said FedRAMP had improved their data security. Agencies also reported that the program’s process for monitoring the status of security controls over cloud services was limited. Specifically, continuous monitoring should be automated to ensure that agencies are getting real-time information on the security status of the services they use. Currently, agencies have to gather and assess much of these data manually.
The Homeland Security Information Network is one example of a federal system using cloud services.
Enhanced guidance, improved cloud security recommended
We recommended enhancing OMB oversight and improving the FedRAMP administrator’s guidance and monitoring. We also made specific recommendations to the FedRAMP administrator and the agencies in our review to help them improve cloud security and more.
Other GAO reports
Other GAO reports have discussed various aspects of FedRAMP, including Department of Agriculture data centers, federal agencies’ use of cloud computing and the Federal Communications Commission’s information security measures.
- Comments on GAO’s WatchBlog? Contact firstname.lastname@example.org.