Skip to main content

< WatchBlog: Following the Federal Dollar

FedRAMP—Ensuring Safe Use of Cloud Computing by Federal Agencies

Posted on September 01, 2020

Federal agencies increasingly use internet-based (cloud) services to fulfill their missions. However, those services pose cybersecurity risks when agencies don’t effectively implement related security controls.

The 2011 Federal Risk and Authorization Management Program (or FedRAMP) aims to standardize the approach for federal use of cloud services. The FedRAMP program establishes security requirements and guidelines that are intended to help secure cloud computing environments used by agencies, helping protect agencies’ data, which could include information used to support their missions such as protecting public health.

Today’s WatchBlog looks at the FedRAMP policies and how agencies’ compliance with policies are monitored.  

Office of Management and Budget monitoring lags 

OMB requires agencies to use the program, but we found that it didn’t effectively monitor agencies’ compliance. This makes it harder to ensure that cloud services agencies are meeting federal security requirements.

From the customer perspective, officials from almost half of the 24 federal agencies we surveyed said FedRAMP had improved their data security. Agencies also reported that the program’s process for monitoring the status of security controls over cloud services was limited. Specifically, continuous monitoring should be automated to ensure that agencies are getting real-time information on the security status of the services they use. Currently, agencies have to gather and assess much of these data manually.

The Homeland Security Information Network is one example of a federal system using cloud services.

Photo of the Department of Homeland Security's cybersecurity team

 

Enhanced guidance, improved cloud security recommended 

We recommended enhancing OMB oversight and improving the FedRAMP administrator’s guidance and monitoring. We also made specific recommendations to the FedRAMP administrator and the agencies in our review to help them improve cloud security and more.

Other GAO reports

Other GAO reports have discussed various aspects of FedRAMP, including Department of Agriculture data centers, federal agencies’ use of cloud computing and the Federal Communications Commission’s information security measures.

Topics

Information Technology
Office of Management and Budget
Department of Homeland Security
Department of Agriculture
Cyber security
Cybersecurity
Cloud computing
Information Technology and Cybersecurity

GAO Contacts

Related Posts

Related Products

Cloud Computing Security: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed

GAO-20-126
Published: Dec 12, 2019
Publicly Released: Dec 12, 2019

Department of Agriculture: Analysis of Selected Data Centers Did Not Follow Federal Guidance and Leading Practices

GAO-19-146R
Published: Dec 19, 2018
Publicly Released: Dec 19, 2018

Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked

GAO-19-58
Published: Apr 04, 2019
Publicly Released: May 06, 2019

Information Security: FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its Program

GAO-20-265
Published: Mar 25, 2020
Publicly Released: Apr 24, 2020
About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.