recommended reading

Is FedRAMP Toothless? Rogue Cloud Systems Abound at Agencies, IGs Say


Many agencies blew off a deadline this summer to make sure their cloud computing systems met baseline security standards.

And it appears they’ll face little reproof for doing so.

Inspectors general at 19 agencies banded together to evaluate the government’s cloud computing efforts and published their findings in a recently released report.

Among the potential problems uncovered by the Council of Inspectors General on Integrity and Efficiency are a mostly toothless process for ensuring agencies’ cloud systems meet basic security standards and fuzzy service-level agreements between agencies and commercial cloud providers.

Back in December 2011, the Office of Management and Budget told agencies to take steps to ensure their existing cloud systems were fully compliant with the then-new standards set out by the Federal Risk and Authorization Management Program by this summer.

But of the 77 cloud contracts reviewed by the council of IGs, nearly three-fourths of them -- 59 -- failed to meet the June FedRAMP deadline. The rogue cloud systems hailed from 16 of the 19 agencies examined.

“The failure of the cloud system to address and meet FedRAMP security controls increases the risk that federal program data may be compromised, intercepted or lost, which could expose the data to unauthorized parties,” the report stated.

Leadership Vacuum to Blame for Missed Deadline?

Auditors chalked up the missed deadline, in part, to a leadership vacuum.

The FedRAMP program office, situated within the General Services Administration, and the Joint Authorization Board, made up of the chief information officers of GSA and the departments of Defense and Homeland Security and which actually reviews and authorizes commercial cloud systems, were both created by OMB in 2011.

But neither “has the authority to enforce FedRAMP compliance within the individual agencies,” the report concluded.

As “there is no discernable penalty for noncompliance and no singular governing body with the authority to enforce compliance,” agencies don’t really have an incentive to comply with FedRAMP in a timely fashion, auditors said.

OMB needs to come up with a way to enforce FedRAMP compliance, auditors recommended.

The IGs also called on the administration to develop guidance defining the minimum requirements agencies should incorporate into their contracts for cloud services.

As it stands now, agencies are inking too many deals with cloud providers that fail to spell out important specifications.

For example, 42 of the 77 cloud deals examined by auditors did not specify how a cloud service provider's performance would be measured, reported or monitored, “which increases the risk that agencies could misspend or ineffectively use government funds,” auditors concluded.

More than a third of cloud contracts looked at by auditors did not include data preservation requirements specifying how long data should be stored, whether the agency or the cloud provider actually owns the underlying data and how providers should sanitize data.

And at least 33 cloud providers never signed nondisclosure agreements with agencies to protect nonpublic information.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.