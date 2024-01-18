The Government Accountability Office (GAO) has raised concerns about the Office of Management and Budget (OMB) and the General Services Administration's (GSA) handling of the Federal Risk and Authorization Management Program (FedRAMP). This program, which authorizes cloud service usage within federal agencies, has not seen the necessary transparency and accountability enhancements, according to a recent GAO report.

Findings Highlight Lack of Compliance and Oversight

The GAO report indicates that OMB has not been adequately monitoring federal agency compliance with directives to use FedRAMP. Despite a 2019 recommendation to oversee the use of FedRAMP-authorized cloud services, OMB's efforts have been insufficient. Although quarterly reports on the use of these services have been requested, monitoring compliance has fallen short of expectations.

Similarly, GSA's process improvements have been slow. While updates have been made to guidance for customer agencies and cloud providers, there has been a lag in automating parts of the FedRAMP process.

Unauthorized Use of Cloud Services

The report has also shed light on at least 11 federal agencies using cloud services that have not been authorized by FedRAMP. Some of these services were authorized prior to FedRAMP's establishment in 2011.

Concerns Over Cost and Complexity

The costs associated with FedRAMP approval are significant and vary widely, with most approvals ranging from $69,000 to $400,000. The high costs, complex demands of the FedRAMP process, and duplicate security reviews have raised concerns among agencies and Cloud Service Providers (CSPs).

Moreover, the GAO report underscores the lack of consistent data on the costs of sponsoring FedRAMP authorizations. The recently enacted FedRAMP Authorization Act is expected to address these issues. The Act requires industry consultation to reduce costs and labor.

In response to the GAO report, Representative Gerry Connolly has urged OMB and GSA to finalize the required guidance and implementation plans mandated by the new legislation. He expressed concern about the slow progress in implementing FedRAMP cloud authorization reforms.