Cloud Computing Security:

Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed

GAO-20-126: Published: Dec 12, 2019. Publicly Released: Dec 12, 2019.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal agencies are increasingly using cloud computing services. Cloud computing offers benefits but also poses cybersecurity risks. OMB requires agencies to use the Federal Risk and Authorization Management Program to authorize their use of cloud services.

Although agencies increased their program use—authorizations were up 137% from 2017 to 2019—15 of the 24 agencies we surveyed reported that they didn’t always use the program. Our 4 case study agencies didn’t fully implement key elements of the authorization process. Also, OMB didn’t monitor use of the program.

We made 24 recommendations to 4 agencies, plus one to OMB to improve oversight.

Illustration of cloud computing

Illustration of cloud computing

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The 24 federal agencies GAO surveyed reported using the Federal Risk and Authorization Management Program (FedRAMP) for authorizing cloud services. From June 2017 to July 2019, the number of authorizations granted through FedRAMP by the 24 agencies increased from 390 to 926, a 137 percent increase. However, 15 agencies reported that they did not always use the program for authorizing cloud services. For example, one agency reported that it used 90 cloud services that were not authorized through FedRAMP and the other 14 agencies reported using a total of 157 cloud services that were not authorized through the program. In addition, 31 of 47 cloud service providers reported that during fiscal year 2017, agencies used providers' cloud services that had not been authorized through FedRAMP. Although the Office of Management and Budget (OMB) required agencies to use the program, it did not effectively monitor agencies' compliance with this requirement. Consequently, OMB may have less assurance that cloud services used by agencies meet federal security requirements.

Four selected agencies did not consistently address key elements of the FedRAMP authorization process (see table). Officials at the agencies attributed some of these shortcomings to a lack of clarity in the FedRAMP guidance.

Agency Implementation of Key Elements of the FedRAMP Authorization Process

 

HHS

GSA

EPA

USAID

Element

 

 

 

 

Control implementation summaries identified security control responsibilities

Security plans addressed required information on control implementation

Security assessment reports summarized results of control tests

Remedial action plans addressed required information

Cloud service authorizations prepared and provided to FedRAMP Program Office

Legend: ● fully addressed the element ◐ partially addressed the element

FedRAMP = Federal Risk and Authorization Management Program; HHS = Department of Health and Human Services; GSA = General Services Administration; EPA = Environmental Protection Agency; USAID = U.S. Agency for International Development

Source: GAO analysis of agency documentation| GAO-20-126

Program participants identified several benefits, but also noted challenges with implementing the FedRAMP. For example, almost half of the 24 agencies reported that the program had improved the security of their data. However, participants reported ongoing challenges with resources needed to comply with the program. GSA took steps to improve the program, but its FedRAMP guidance on requirements and responsibilities was not always clear and the program's process for monitoring the status of security controls over cloud services was limited. Until GSA addresses these challenges, agency implementation of the program's requirements will likely remain inconsistent.

Why GAO Did This Study

Federal agencies use internet-based (cloud) services to fulfill their missions. GSA manages FedRAMP, which provides a standardized approach to ensure that cloud services meet federal security requirements. OMB requires agencies to use FedRAMP to authorize the use of cloud services.

GAO was asked to review FedRAMP. The objectives were to determine the extent to which 1) federal agencies used FedRAMP to authorize cloud services, 2) selected agencies addressed key elements of the program's authorization process, and 3) program participants identified FedRAMP benefits and challenges. GAO analyzed survey responses from 24 federal agencies and 47 cloud service providers. GAO also reviewed policies, plans, procedures, and authorization packages for cloud services at four selected federal agencies and interviewed officials from federal agencies, the FedRAMP program office, and OMB.

What GAO Recommends

GAO is making one recommendation to OMB to enhance oversight, two to GSA to improve guidance and monitoring, and 22 to the selected agencies, including GSA. GSA and HHS agreed with the recommendations, USAID generally agreed, EPA generally disagreed, and OMB neither agreed nor disagreed. GAO revised four recommendations and withdrew one based on new information provided; it maintains that the remaining recommendations are warranted.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Priority recommendation

    Comments: To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. OMB neither agreed nor disagreed with this recommendation. According to an OMB Associate General Counsel, the agency does not have a mechanism for enforcing agencies' compliance with its guidance on FedRAMP. However, we believe that OMB can and should hold agencies accountable for complying with its policies. By implementing this recommendation, OMB could substantially improve participation in the FedRAMP program, which is intended to standardize security requirements for federal agencies' authorizations of cloud services. OMB has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once OMB provides information on its corrective actions.

    Recommendation: The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)

    Agency Affected: Executive Office of the President: Office of Management and Budget: Office of the Director

  2. Status: Open

    Comments: GSA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once GSA provides information on its corrective actions.

    Recommendation: The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2)

    Agency Affected: General Services Administration: Office of the Administrator

  3. Status: Open

    Comments: GSA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once GSA provides information on its corrective actions.

    Recommendation: The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3)

    Agency Affected: General Services Administration: Office of the Administrator

  4. Status: Open

    Comments: GSA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once GSA provides information on its corrective actions.

    Recommendation: The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4)

    Agency Affected: General Services Administration: Office of the Administrator

  5. Status: Open

    Comments: GSA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once GSA provides information on its corrective actions.

    Recommendation: The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5)

    Agency Affected: General Services Administration: Office of the Administrator

  6. Status: Open

    Comments: GSA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once GSA provides information on its corrective actions.

    Recommendation: The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6)

    Agency Affected: General Services Administration: Office of the Administrator

  7. Status: Open

    Comments: GSA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once GSA provides information on its corrective actions.

    Recommendation: The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7)

    Agency Affected: General Services Administration: Office of the Administrator

  8. Status: Open

    Comments: CDC has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CDC provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  9. Status: Open

    Comments: CDC has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CDC provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  10. Status: Open

    Comments: CDC has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CDC provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  11. Status: Open

    Comments: CMS has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CMS provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  12. Status: Open

    Comments: CMS has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CMS provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  13. Status: Open

    Comments: CMS has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CMS provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  14. Status: Open

    Comments: CMS has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once CMS provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  15. Status: Open

    Comments: NIH has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once NIH provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  16. Status: Open

    Comments: NIH has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once NIH provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  17. Status: Open

    Comments: NIH has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once NIH provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  18. Status: Open

    Comments: NIH has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once NIH provides information on its corrective actions.

    Recommendation: The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18)

    Agency Affected: Department of Health and Human Services: Office of the Secretary

  19. Status: Open

    Comments: EPA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once EPA provides information on its corrective actions.

    Recommendation: The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19)

    Agency Affected: Environmental Protection Agency

  20. Status: Open

    Comments: EPA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once EPA provides information on its corrective actions.

    Recommendation: The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20)

    Agency Affected: Environmental Protection Agency

  21. Status: Open

    Comments: EPA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once EPA provides information on its corrective actions.

    Recommendation: The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21)

    Agency Affected: Environmental Protection Agency

  22. Status: Open

    Comments: EPA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once EPA provides information on its corrective actions.

    Recommendation: The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22)

    Agency Affected: Environmental Protection Agency

  23. Status: Open

    Comments: EPA has not provided information on its actions to implement our recommendation. We will update the status of this recommendation once EPA provides information on its corrective actions.

    Recommendation: The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23)

    Agency Affected: Environmental Protection Agency

  24. Status: Open

    Comments: When we confirm that the corrective actions USAID submitted in response to this recommendation are sufficient, we will update the status of this information.

    Recommendation: The Administrator of USAID should update the list of corrective actions for the selected system to include the party responsible for addressing the weakness, and source of the weakness. (Recommendation 24)

    Agency Affected: United States Agency for International Development

  25. Status: Open

    Comments: When we confirm that the corrective actions USAID submitted in response to this recommendation are sufficient, we will update the status of this information.

    Recommendation: The Administrator of USAID should prepare the letter authorizing the use of cloud service for the selected system and submit the letter to the FedRAMP program management office. (Recommendation 25)

    Agency Affected: United States Agency for International Development

 

Explore the full database of GAO's Open Recommendations »

Sep 17, 2020

Sep 16, 2020

Aug 18, 2020

May 27, 2020

May 13, 2020

Apr 24, 2020

Apr 13, 2020

Feb 11, 2020

Sep 25, 2019

Jul 26, 2019

Looking for more? Browse all our products here