Skip to main content

Cloud Security: Federal Authorization Program Usage Increasing, but Challenges Need to Be Fully Addressed

GAO-24-106591 Published: Jan 18, 2024. Publicly Released: Jan 18, 2024.
Jump To:

Fast Facts

The Office of Management and Budget established the FedRAMP program to authorize secure cloud services for federal use.

From 2019-23, agencies increased FedRAMP use—authorizations were up 60%. But some agencies reported using services that weren't FedRAMP-authorized. OMB still hasn’t fully implemented our previous recommendation to monitor program use.

OMB is proposing new guidance that aims to help reduce the cost of pursuing FedRAMP authorizations. Some cost estimates are available and widely varied, but actual costs are unclear—so OMB may not have the information it needs for this effort. Our 3 recommendations address this and other issues.

Illustration showing a computer laptop on a table will an internet cloud over the screen.

Skip to Highlights

Highlights

What GAO Found

The Office of Management and Budget (OMB) established the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach for authorizing the use of cloud services. From July 2019 to April 2023, the 24 Chief Financial Officers (CFO) Act agencies increased the number of authorizations by about 60 percent. These authorizations covered services ranging from a basic computer infrastructure to a more full-service model that included software applications. OMB requires agencies to use FedRAMP. However, nine agencies reported they were using cloud services that were not FedRAMP authorized. OMB has not yet implemented GAO's recommendation to adequately monitor agencies' compliance with the program.

Selected agencies and cloud service providers (CSP) provided estimated costs when pursuing FedRAMP authorizations; data on actual costs were limited. The estimated costs varied widely and ranged anywhere from tens of thousands to millions of dollars. This was due, in part, to the agencies and CSPs using varying methods to determine costs. A contributing factor to the varying methods was that OMB did not provide guidance on authorization costs to be tracked and reported. The lack of consistent cost data will also hamper OMB in determining whether its goal of reducing FedRAMP costs will be achieved.

The selected agencies and CSPs identified six key challenges that they faced in pursuing FedRAMP authorizations (see table).

Key Challenges Faced by Agencies and Cloud Service Providers (CSP) When Pursuing Federal Risk and Authorization Management Program (FedRAMP) Authorizations

Challenges

Description

Receiving timely responses from stakeholders

Agencies and CSPs reported that they had issues with receiving timely responses from stakeholders throughout the authorization process.

Sponsoring CSPs that were not fully prepared

Agencies reported that CSPs did not fully understand the FedRAMP process and lacked complete documentation.

Lacking sufficient resources

Agencies reported that they lacked the resources (e.g., funding and staffing) needed to sponsor an authorization.

Meeting FedRAMP technical and process requirements

CSPs reported that they had to update the infrastructure to meet federal security requirements.

Finding an agency sponsor

CSPs reported that finding an agency sponsor was difficult.

Engaging with third-party assessment organizations (3PAO)

CSPs reported that they faced issues (e.g., lack of consistency) when engaging with organizations that were responsible for performing independent assessments of their cloud services—3PAOs.

Source: GAO analysis. | GAO24106591

In acknowledging these challenges, OMB and the FedRAMP program management office in the General Services Administration (GSA) already have efforts underway to address them. For example, OMB released proposed new FedRAMP guidance for public comment in October 2023. GSA also intends to, among other things, issue guidance on meeting certain technical requirements. However, OMB and GSA have not finalized these guidance documents or announced a schedule for doing so. As a result, agencies and CSPs may continue facing challenges, leading to additional costs to pursue authorizations.

Why GAO Did This Study

OMB established the FedRAMP program in 2011. Managed by GSA, FedRAMP aims to ensure that cloud services have adequate information security while also reducing operational costs. To accomplish this goal, FedRAMP established a standardized process for authorizing CSPs' cloud services.

The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review the status of the FedRAMP program. GAO's objectives were to identify (1) the frequency and types of services agencies have used under FedRAMP; (2) the amounts of costs incurred by selected agencies and CSPs in pursuing FedRAMP authorizations; and (3) the key challenges selected agencies and CSPs face in the authorization process and determine the extent to which GSA and OMB have taken actions to address them.

GAO analyzed questionnaire responses from six selected CFO Act agencies and 13 selected CSPs. GAO selected these agencies and CSPs based on several factors, including the number of authorizations agencies had sponsored, the authorization path used by the CSPs, and whether a CSP was a small business. GAO also reviewed GSA and OMB data and interviewed appropriate agency and CSP officials.

Recommendations

GAO is making three recommendations, two to OMB and one to GSA, to finalize efforts to address challenges related to FedRAMP. GSA agreed with its recommendation and OMB did not comment on the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB, in collaboration with the FedRAMP PMO, should issue guidance to agencies to ensure that they consistently track and report the costs of sponsoring a FedRAMP authorization of cloud services. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should finalize and implement the proposed new FedRAMP guidance, to include addressing the challenges identified in this report. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
General Services Administration The Administrator of General Services should direct the Director of FedRAMP to develop a plan, including firm time frames, for issuing guidance on how CSPs can navigate the FIPS 140-3 cryptographic requirements. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

Office of Public Affairs

Topics

Cloud computingCyber securityCybersecurityInformation securityInternal controlsSecurity risksSmall businessChief financial officersFederal Information Processing StandardsDefense budgets