GSA, OMB lag on FedRAMP improvements, GAO finds

The agencies responsible for administering FedRAMP — the federal government's signature cloud authorization program — are lagging behind on process improvements and reforms, according to the Government Accountability Office.

In a report released Thursday, the GAO found that the Office of Management and Budget and the General Services Administration have yet to implement recommendations from the congressional watchdog to add transparency and accountability for FedRAMP use by agencies.

GAO recommended that OMB monitor whether federal agencies were following directives to use FedRAMP when buying and authorizing cloud services back in December 2019. OMB hasn't followed up on this recommendation, although it did call on agencies to deliver quarterly reports on use of FedRAMP-authorized cloud services. 

GSA still hasn't delivered on a 2019 GAO recommendation to automate some aspects of the FedRAMP process, although the agency did follow through on a GAO request to update guidance about program requirements for customer agencies and cloud providers. 

The report also surveyed federal agencies and found at least 11 that used cloud services that were not authorized by FedRAMP. Some of these had been authorized before the advent of the FedRAMP program in 2011. GAO auditors suggested that OMB may be to blame for this phenomenon for not "adequately [monitoring] agencies' compliance with the program."

The report also pulls back the veil on FedRAMP compliance costs. GAO found wide variance when it comes to the toll that comes with approving cloud services for agency use. Most of the costs for a single FedRAMP approval ranged from $69,000 to $400,000, with outliers as low as $12,000 and as high as more than $700,000. 

Agencies and CSPs who provided feedback to GAO for this report complained of unanticipated costs of compliance, duplicative security reviews, officials who weren't up to speed on the demands of the FedRAMP process and time consuming process requirements.  

The report notes that "OMB lacks consistent data on costs for sponsoring FedRAMP authorizations." Proposed guidance on the implementation of the recently enacted FedRAMP Authorization Act calls for FedRAMP leaders to consult industry on ways to reduce the costs and duplicative labor involved in the cloud authorization process.

“I welcome this report from GAO, which provides a helpful snapshot of the program prior to full implementation of our bipartisan legislation, and I am encouraged by GAO’s finding that the guidance the administration is developing pursuant to the FedRAMP Authorization Act will address the deficiencies in the program that GAO has identified," Rep. Gerry Connolly, D-Va. said in a statement. "I urge OMB and GSA to finalize relevant FedRAMP guidance and agency implementation plans as required by the legislation, which we fought hard to enact.”