A recent audit by the General Services Administration’s (GSA) Office of Inspector General found that GSA’s Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) has not yet established an adequate structure to assist the Federal government with adoption of secure cloud services.
According to the report, the mission statement of FedRAMP PMO does not provide a clear direction for the office, and it’s tough to determine if the office is meeting its mission effectively.
The GSA OIG recommended three courses of action that the FedRAMP PMO should implement to remedy those deficits: revising the office’s mission statement to a concise, singular statement; making its objectives more specific and measurable; and reviewing the mission, goals, and objectives to make sure they align cohesively.
The OIG originally planned to review the authorization and accreditation process for third party providers that provide security assessments of cloud service providers, but during that review, found that there were risks present at the FedRAMP PMO level. The audit was included as part of the OIG’s Fiscal Year 2017 Audit Plan.
According to the report, the Federal Acquisition Service Commissioner—who manages the day-to-day operations of FedRAMP PMO—agreed with the audit recommendations.