LegiStorm

Summary:
What GAO Found

The Office of Management and Budget (OMB) established the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach for authorizing the use of cloud services. From July 2019 to April 2023, the 24 Chief Financial Officers (CFO) Act agencies increased the number of authorizations by about 60 percent. These authorizations covered services ranging from a basic computer infrastructure to a more full-service model that included software applications. OMB requires agencies to use FedRAMP. However, nine agencies reported they were using cloud services that were not FedRAMP authorized. OMB has not yet implemented GAO's recommendation to adequately monitor agencies' compliance with the program.

Selected agencies and cloud service providers (CSP) provided estimated costs when pursuing FedRAMP authorizations; data on actual costs were limited. The estimated costs varied widely and ranged anywhere from tens of thousands to millions of dollars. This was due, in part, to the agencies and CSPs using varying methods to determine costs. A contributing factor to the varying methods was that OMB did not provide guidance on authorization costs to be tracked and reported. The lack of consistent cost data will also hamper OMB in determining whether its goal of reducing FedRAMP costs will be achieved.

The selected agencies and CSPs identified six key challenges that they faced in pursuing FedRAMP authorizations (see table).

Key Challenges Faced by Agencies and Cloud Service Providers (CSP) When Pursuing Federal Risk and Authorization Management Program (FedRAMP) Authorizations


Challenges


Description


Receiving timely responses from stakeholders


Agencies and CSPs reported that they had issues with receiving timely responses from stakeholders throughout the authorization process.


Sponsoring CSPs that were not fully prepared


Agencies reported that CSPs did not fully understand the FedRAMP process and lacked complete documentation.


Lacking sufficient resources


Agencies reported that they lacked the resources (e.g., funding and staffing) needed to sponsor an authorization.


Meeting FedRAMP technical and process requirements


CSPs reported that they had to update the infrastructure to meet federal security requirements.


Finding an agency sponsor


CSPs reported that finding an agency sponsor was difficult.


Engaging with third-party assessment organizations (3PAO)


CSPs reported that they faced issues (e.g., lack of consistency) when engaging with organizations that were responsible for performing independent assessments of their cloud services—3PAOs.

Source: GAO analysis. | GAO24106591

In acknowledging these challenges, OMB and the FedRAMP program management office in the General Services Administration (GSA) already have efforts underway to address them. For example, OMB released proposed new FedRAMP guidance for public comment in October 2023. GSA also intends to, among other things, issue guidance on meeting certain technical requirements. However, OMB and GSA have not finalized these guidance documents or announced a schedule for doing so. As a result, agencies and CSPs may continue facing challenges, leading to additional costs to pursue authorizations.

Why GAO Did This Study

OMB established the FedRAMP program in 2011. Managed by GSA, FedRAMP aims to ensure that cloud services have adequate information security while also reducing operational costs. To accomplish this goal, FedRAMP established a standardized process for authorizing CSPs' cloud services.

The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review the status of the FedRAMP program. GAO's objectives were to identify (1) the frequency and types of services agencies have used under FedRAMP; (2) the amounts of costs incurred by selected agencies and CSPs in pursuing FedRAMP authorizations; and (3) the key challenges selected agencies and CSPs face in the authorization process and determine the extent to which GSA and OMB have taken actions to address them.

GAO analyzed questionnaire responses from six selected CFO Act agencies and 13 selected CSPs. GAO selected these agencies and CSPs based on several factors, including the number of authorizations agencies had sponsored, the authorization path used by the CSPs, and whether a CSP was a small business. GAO also reviewed GSA and OMB data and interviewed appropriate agency and CSP officials.