recommended reading

Is FedRAMP Toothless? Rogue Cloud Systems Abound at Agencies, IGs Say


Many agencies blew off a deadline this summer to make sure their cloud computing systems met baseline security standards.

And it appears they’ll face little reproof for doing so.

Inspectors general at 19 agencies banded together to evaluate the government’s cloud computing efforts and published their findings in a recently released report.

Among the potential problems uncovered by the Council of Inspectors General on Integrity and Efficiency are a mostly toothless process for ensuring agencies’ cloud systems meet basic security standards and fuzzy service-level agreements between agencies and commercial cloud providers.

Back in December 2011, the Office of Management and Budget told agencies to take steps to ensure their existing cloud systems were fully compliant with the then-new standards set out by the Federal Risk and Authorization Management Program by this summer.

But of the 77 cloud contracts reviewed by the council of IGs, nearly three-fourths of them -- 59 -- failed to meet the June FedRAMP deadline. The rogue cloud systems hailed from 16 of the 19 agencies examined.

“The failure of the cloud system to address and meet FedRAMP security controls increases the risk that federal program data may be compromised, intercepted or lost, which could expose the data to unauthorized parties,” the report stated.

Leadership Vacuum to Blame for Missed Deadline?

Auditors chalked up the missed deadline, in part, to a leadership vacuum.

The FedRAMP program office, situated within the General Services Administration, and the Joint Authorization Board, made up of the chief information officers of GSA and the departments of Defense and Homeland Security and which actually reviews and authorizes commercial cloud systems, were both created by OMB in 2011.

But neither “has the authority to enforce FedRAMP compliance within the individual agencies,” the report concluded.

As “there is no discernable penalty for noncompliance and no singular governing body with the authority to enforce compliance,” agencies don’t really have an incentive to comply with FedRAMP in a timely fashion, auditors said.

OMB needs to come up with a way to enforce FedRAMP compliance, auditors recommended.

The IGs also called on the administration to develop guidance defining the minimum requirements agencies should incorporate into their contracts for cloud services.

As it stands now, agencies are inking too many deals with cloud providers that fail to spell out important specifications.

For example, 42 of the 77 cloud deals examined by auditors did not specify how a cloud service provider's performance would be measured, reported or monitored, “which increases the risk that agencies could misspend or ineffectively use government funds,” auditors concluded.

More than a third of cloud contracts looked at by auditors did not include data preservation requirements specifying how long data should be stored, whether the agency or the cloud provider actually owns the underlying data and how providers should sanitize data.

And at least 33 cloud providers never signed nondisclosure agreements with agencies to protect nonpublic information.

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.