Is FedRAMP Toothless? Rogue Cloud Systems Abound at Agencies, IGs Say

Many agencies blew off a deadline this summer to make sure their cloud computing systems met baseline security standards.

And it appears they’ll face little reproof for doing so.

Inspectors general at 19 agencies banded together to evaluate the government’s cloud computing efforts and published their findings in a recently released report.

Among the potential problems uncovered by the Council of Inspectors General on Integrity and Efficiency are a mostly toothless process for ensuring agencies’ cloud systems meet basic security standards and fuzzy service-level agreements between agencies and commercial cloud providers.

Back in December 2011, the Office of Management and Budget told agencies to take steps to ensure their existing cloud systems were fully compliant with the then-new standards set out by the Federal Risk and Authorization Management Program by this summer.

But of the 77 cloud contracts reviewed by the council of IGs, nearly three-fourths of them -- 59 -- failed to meet the June FedRAMP deadline. The rogue cloud systems hailed from 16 of the 19 agencies examined.

“The failure of the cloud system to address and meet FedRAMP security controls increases the risk that federal program data may be compromised, intercepted or lost, which could expose the data to unauthorized parties,” the report stated.

Leadership Vacuum to Blame for Missed Deadline?

Auditors chalked up the missed deadline, in part, to a leadership vacuum.

The FedRAMP program office, situated within the General Services Administration, and the Joint Authorization Board, made up of the chief information officers of GSA and the departments of Defense and Homeland Security and which actually reviews and authorizes commercial cloud systems, were both created by OMB in 2011.

But neither “has the authority to enforce FedRAMP compliance within the individual agencies,” the report concluded.

As “there is no discernable penalty for noncompliance and no singular governing body with the authority to enforce compliance,” agencies don’t really have an incentive to comply with FedRAMP in a timely fashion, auditors said.

OMB needs to come up with a way to enforce FedRAMP compliance, auditors recommended.

The IGs also called on the administration to develop guidance defining the minimum requirements agencies should incorporate into their contracts for cloud services.

As it stands now, agencies are inking too many deals with cloud providers that fail to spell out important specifications.

For example, 42 of the 77 cloud deals examined by auditors did not specify how a cloud service provider's performance would be measured, reported or monitored, “which increases the risk that agencies could misspend or ineffectively use government funds,” auditors concluded.

More than a third of cloud contracts looked at by auditors did not include data preservation requirements specifying how long data should be stored, whether the agency or the cloud provider actually owns the underlying data and how providers should sanitize data.

And at least 33 cloud providers never signed nondisclosure agreements with agencies to protect nonpublic information.