Agencies fall short implementing FedRAMP requirements for cloud vendors, GAO finds

Though all of the systems had FedRAMP authorizations, most were not meeting key requirements of the cloud security authorization program.
FedRAMP website

Four large federal departments audited recently by the Government Accountability Office were found to not be fully implementing requirements of the Federal Risk and Authorization Management Program.

Despite the decade-old mandate that agencies use FedRAMP to ensure services meet federal cloud security standards, the four departments — Treasury, Labor, Homeland Security and Agriculture — inconsistently implemented the program’s requirements, the GAO report on cloud security details.

All 15 of the systems that the GAO audited among the departments — which included a variety of infrastructure-, platform- and software-as-a-service instances — had been FedRAMP authorized at some point in time. But in the specific contracts with the departments for the systems at hands, just four of the 15 completely met the requirements of FedRAMP.

The rest were a mixed bag, in some cases failing to document the authorization of the system and cloud service in use, provide an authorization letter to the FedRAMP program office, or hold the provider to comply with FedRAMP requirements.


Again, all of the systems used cloud services that had been deemed at one point in time to be secure and authorized for federal use by the FedRAMP program. But, as the report explains: “Until the agencies fully implement each of the FedRAMP requirements, they will likely not fully identify the security risk of the system, and ensure they are notified by FedRAMP of any changes to the authorization of the CSP. In addition, there is an increased risk that the CSPs used by the agencies will not fully implement FedRAMP requirements.”

The results of the audit come just after last year’s passage of the FedRAMP Authorization Act, which codified the program as the federal standard for authorizing cloud services.

The report also highlighted similar inconsistencies by the departments to implement continuous monitoring plans for the cloud service contracts.

Rep. Gerry Connolly, D-Va., who keeps a close eye on federal IT and was the author of the recent FedRAMP legislation, pushed for agencies to “bake” security measures into their cloud efforts.

“Increased cloud computing adoption opens the door for the federal government to provide higher quality services at lower costs. But any successful modernization strategy must also have security measures baked throughout. Embracing new technologies cannot sacrifice product quality, cost, or cybersecurity,” Connolly said in a statement.


He added: “GAO’s recent cloud security report rightly pushes agencies to bolster their continuous monitoring efforts. As the author of the FedRAMP Authorization Act and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, I encourage all agencies to fully address their FedRAMP requirements.”

Latest Podcasts