GAO to probe FedRAMP

The Government Accountability Office is preparing to audit the General Services Administration's Federal Risk and Authorization Management Program for cloud security, according to a senior GAO official.

"We're going to look at the extent of FedRAMP use and how to assess the cloud environment, as well as how agencies are using the cloud without FedRAMP review and see what we find," said Greg Wilshusen, director of information security issues at GAO, during a meeting of the Information Security and Privacy Advisory Board on Oct. 27.

He told FCW after his presentation that the audit should be seen as a sign that adoption of cloud services is growing among federal agencies rather than as an indication that there are problems.

GAO is conducting the review at the request of the Senate Homeland Security and Governmental Affairs Committee, though he said there is no schedule for it yet. GAO auditors will look into the challenges of cloud adoption from the perspective of agencies and commercial cloud services providers, he added.

Although a formal audit sounds a little ominous, particularly in light of complaints that the FedRAMP process is too long and expensive, Wilshusen told FCW that the study should not instill a sense of foreboding.

"We're doing it because it's very clear cloud migration is increasing," he said. "FedRAMP is a good thing, if done properly."