Watchdog Security Reviews Not Guaranteed in FedRAMP Revamp

Sen. Jon Ossoff, D-Ga.

Sen. Jon Ossoff, D-Ga. Chip Somodevilla/Getty Images

Legislation recently clearing a key Senate committee stops short of requiring the Government Accountability Office to review vendors’ encryption practices and supply chains.

The Government Accountability Office could get new oversight responsibilities over the government’s internal cloud security certification program as part of legislation moving through Congress, though it’s too early to tell whether the watchdog agency will make full use of those authorities. 

The General Services Administration’s Federal Risk and Authorization Management Program, or FedRAMP—which celebrated its 10th birthday in November—is a required step for any agency looking to purchase cloud services. However, the program is not fully enforced or monitored for compliance by the Office of Management and Budget, according to GAO.

All administrations going back to President Obama have pushed federal agencies to make greater use of cloud service providers in order to reduce costs and FedRAMP has been their way of checking that security isn’t sacrificed in the process.   

In 2019, GAO found that a majority of agencies often weren’t going through FedRAMP before authorizing cloud vendors. The agencies cited a lack of clarity in GSA’s guidance which GAO said would have to be addressed in order for the program to succeed.

On Dec. 15, the Senate Homeland Security and Governmental Affairs Committee cleared legislation to put the GSA program in statute. Similar legislation has been ready to go for years in the House but has consistently stalled in the upper chamber.

After an amendment led by Ranking Member Rob Portman, R-Ohio, the bill includes provisions that seek to avoid foreign influence either through code in vendors’ software supply chains or through third party assessment organizations vendors use to validate their security practices. The GSA administrator would determine whether a vendor may use a third party assessor to verify their attestations, according to the bill.

The bill requires a GAO report on FedRAMP 180 days out from passage. Kevin Walsh, an information technology and cybersecurity director at GAO, said the agency worked with the committee on the legislation and “will complete any reports, as directed.” 

But while the language of the Federal Secure Cloud Improvement and Jobs Act of 2021 states GAO “shall” report on agency cloud uptake and private-sector costs and compliance burdens, it defers to GAO on the supply chain and foreign-influence disclosure requirements as well as vendors encryption practices. The comptroller “may” conduct such reviews, reads an amendment Sen. Jon Ossoff, D-Ga., managed to include.   

“Given the flexibility in the language, we're not in a position to speculate about the specifics of what we might audit,” Walsh told Nextgov. “Generally, that kind of scoping decision would be made after completing some preliminary audit work.”

Walsh noted GAO’s last report for the committee calling for additional oversight of FedRAMP.

“We made a total of 25 recommendations: one to OMB to enhance oversight, two to GSA to improve guidance and monitoring, and 22 to the selected agencies,” he said. “Since then, five of the 25 recommendations have been closed.”