Federal agencies are increasingly using cloud computing services and the Office of Management and Budget (OMB) requires them to use the Federal Risk and Authorization Management Program (FedRAMP) to authorize use.
A Government Accountability Office (GAO) review found that while agencies increased their program use—authorizations were up 137% from 2017 to 2019—15 of the 24 agencies surveyed did not always use the program. GAO reported December 12 that they did not fully implement key elements of the authorization process. Agencies did not consistently address required information for implementing controls, summarizing control tests, and tracking corrective actions. For example, one agency reported that it used 90 cloud services that were not authorized through FedRAMP and the other 14 agencies reported using a total of 157 cloud services that were not authorized through the program. In addition, 31 of 47 cloud service providers reported that during fiscal year 2017, agencies used providers’ cloud services that had not been authorized through FedRAMP.
Furthermore, GAO said that while OMB required agencies to use FedRAMP, it failed to monitor the use of the program. Consequently, OMB may have less assurance that cloud services used by agencies meet federal security requirements.
Program participants identified several benefits during GAO’s review, but also noted challenges with implementing FedRAMP. For example, almost half of the 24 agencies reported that the program had improved the security of their data. However, participants reported ongoing challenges with resources needed to comply with the program.
The General Services Administration, for example, took steps to improve the program, but GAO found its FedRAMP guidance on requirements and responsibilities was not always clear and the program’s process for monitoring the status of security controls over cloud services was limited.
GAO is recommending that OMB enhances oversight by establishing a process that would monitor and hold agencies accountable for using FedRAMP-authorized cloud services. Several recommendations have also been directed at individual agencies which came under GAO’s scrutiny as part of the review.
Industry is also at risk of cyber attack on cloud services as their usage of the technology also increases. The National Security Agency (NSA) said on December 3, that it plans to issue updated guidance to companies on cybersecurity in the cloud.
Speaking at the Wall Street Journal’s Pro Cybersecurity Executive Forum, Anne Neuberger, director of the NSA’s Cybersecurity Directorate, said that one of her division’s goals is to produce advisories for businesses and other organizations. The advisories would describe attack methods used by nation-state and advanced hackers and provide guidance to counter them.
Neuberger said she expects the cloud advisory to be published by year-end.