While the Office of Management and Budget (OMB) proposed new guidance to overhaul the General Services Administration’s (GSA) FedRAMP (Federal Risk and Authorization Management Program) program in October 2023, a new watchdog report is pushing both agencies to move quickly to finalize new program rules.

According to the Government Accountability Office (GAO), OMB and GSA “have not finalized these guidance documents or announced a schedule for doing so.” As a result, Federal agencies and cloud service providers (CSPs) may continue facing challenges “leading to additional costs to pursue authorizations,” the report says.

The FedRAMP program is operated by GSA to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by Federal government agencies.

OMB’s proposed new guidance for the program released last year – entitled “Modernizing the Federal Risk Authorization Management Program (FedRAMP)” – stems from the FedRAMP Authorization Act approved by Congress late in 2022 as part of the fiscal year (FY) 2023 National Defense Authorization Act (NDAA). That law codified FedRAMP into Federal law, and requires a laundry list of program modernization steps.

Today’s GAO report states that from July 2019 to April 2023, the 24 Chief Financial Officers Act agencies increased the number of FedRAMP authorizations by about 60 percent. These authorizations covered services ranging from a basic computer infrastructure to a more full-service model that includes software applications.

OMB requires agencies to use FedRAMP. However, GAO found that nine agencies reported they were using cloud services that were not FedRAMP authorized. OMB has not yet implemented GAO’s prior recommendation to adequately monitor agencies’ compliance with the program, the report notes.

GAO found six key challenges that agencies and CSPs faced when pursuing FedRAMP authorizations, including a lack of sufficient resources; meeting FedRAMP technical and process requirements; and engaging with third-party assessment organizations, among others.

The government watchdog agency highlighted that finalizing the new FedRAMP guidance would help reduce the cost and challenges of pursuing FedRAMP authorizations.

The proposed new guidance – which would replace existing policy created for the program when it began in 2011 – is being driven in large part by the evolution of the cloud services market and growth in software as a service cloud-based applications, OMB said in October.

The proposed OMB guidance features near-term and longer-term deadlines for GSA and Federal agencies that use FedRAMP-approved services. The comment period on the proposed guidance closed on Nov. 27, 2023.

GAO’s 37-page report made three recommendations – two to OMB and one to GSA – to finalize efforts to address challenges related to FedRAMP.

GAO recommends that the director of OMB issue guidance to agencies to ensure that they consistently track and report the costs of sponsoring a FedRAMP authorization of cloud services; and finalize and implement the proposed new FedRAMP guidance.

GAO is also tasking GSA with directing the FedRAMP lead to develop a plan, including firm time frames, for issuing guidance on how CSPs can navigate the program’s requirements.

GSA agreed with that recommendation, while OMB did not comment on GAO’s two recommendations to the agency.

“I welcome this report from GAO, which provides a helpful snapshot of the program prior to full implementation of our bipartisan legislation, and I am encouraged by GAO’s finding that the guidance the Administration is developing pursuant to the FedRAMP Authorization Act will address the deficiencies in the program that GAO has identified,” said Rep. Gerry Connolly, D-Va., ranking member of the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation and the author of the FedRAMP Authorization Act, in a statement today.

“I urge OMB and GSA to finalize relevant FedRAMP guidance and agency implementation plans as required by the legislation, which we fought hard to enact,” Rep. Connolly said.

Read More About
About
Cate Burgan
Cate Burgan
Cate Burgan is a MeriTalk Senior Technology Reporter covering the intersection of government and technology.
Tags