Cloud Computing Security: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed
Fast Facts
Federal agencies are increasingly using cloud computing services. Cloud computing offers benefits but also poses cybersecurity risks. OMB requires agencies to use the Federal Risk and Authorization Management Program to authorize their use of cloud services.
Although agencies increased their program use—authorizations were up 137% from 2017 to 2019—15 of the 24 agencies we surveyed reported that they didn’t always use the program. Our 4 case study agencies didn’t fully implement key elements of the authorization process. Also, OMB didn’t monitor use of the program.
We made 24 recommendations to 4 agencies, plus one to OMB to improve oversight.
Illustration of cloud computing
Highlights
What GAO Found
The 24 federal agencies GAO surveyed reported using the Federal Risk and Authorization Management Program (FedRAMP) for authorizing cloud services. From June 2017 to July 2019, the number of authorizations granted through FedRAMP by the 24 agencies increased from 390 to 926, a 137 percent increase. However, 15 agencies reported that they did not always use the program for authorizing cloud services. For example, one agency reported that it used 90 cloud services that were not authorized through FedRAMP and the other 14 agencies reported using a total of 157 cloud services that were not authorized through the program. In addition, 31 of 47 cloud service providers reported that during fiscal year 2017, agencies used providers' cloud services that had not been authorized through FedRAMP. Although the Office of Management and Budget (OMB) required agencies to use the program, it did not effectively monitor agencies' compliance with this requirement. Consequently, OMB may have less assurance that cloud services used by agencies meet federal security requirements.
Four selected agencies did not consistently address key elements of the FedRAMP authorization process (see table). Officials at the agencies attributed some of these shortcomings to a lack of clarity in the FedRAMP guidance.
Agency Implementation of Key Elements of the FedRAMP Authorization Process
HHS |
GSA |
EPA |
USAID |
|
Element |
|
|
|
|
Control implementation summaries identified security control responsibilities |
● |
● |
● |
● |
Security plans addressed required information on control implementation |
◐ |
◐ |
◐ |
● |
Security assessment reports summarized results of control tests |
◐ |
◐ |
◐ |
● |
Remedial action plans addressed required information |
◐ |
◐ |
◐ |
◐ |
Cloud service authorizations prepared and provided to FedRAMP Program Office |
◐ |
● |
◐ |
◐ |
Legend: ● fully addressed the element ◐ partially addressed the element
FedRAMP = Federal Risk and Authorization Management Program; HHS = Department of Health and Human Services; GSA = General Services Administration; EPA = Environmental Protection Agency; USAID = U.S. Agency for International Development
Source: GAO analysis of agency documentation| GAO-20-126
Program participants identified several benefits, but also noted challenges with implementing the FedRAMP. For example, almost half of the 24 agencies reported that the program had improved the security of their data. However, participants reported ongoing challenges with resources needed to comply with the program. GSA took steps to improve the program, but its FedRAMP guidance on requirements and responsibilities was not always clear and the program's process for monitoring the status of security controls over cloud services was limited. Until GSA addresses these challenges, agency implementation of the program's requirements will likely remain inconsistent.
Why GAO Did This Study
Federal agencies use internet-based (cloud) services to fulfill their missions. GSA manages FedRAMP, which provides a standardized approach to ensure that cloud services meet federal security requirements. OMB requires agencies to use FedRAMP to authorize the use of cloud services.
GAO was asked to review FedRAMP. The objectives were to determine the extent to which 1) federal agencies used FedRAMP to authorize cloud services, 2) selected agencies addressed key elements of the program's authorization process, and 3) program participants identified FedRAMP benefits and challenges. GAO analyzed survey responses from 24 federal agencies and 47 cloud service providers. GAO also reviewed policies, plans, procedures, and authorization packages for cloud services at four selected federal agencies and interviewed officials from federal agencies, the FedRAMP program office, and OMB.
Recommendations
GAO is making one recommendation to OMB to enhance oversight, two to GSA to improve guidance and monitoring, and 22 to the selected agencies, including GSA. GSA and HHS agreed with the recommendations, USAID generally agreed, EPA generally disagreed, and OMB neither agreed nor disagreed. GAO revised four recommendations and withdrew one based on new information provided; it maintains that the remaining recommendations are warranted.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of the Director |
Priority Rec.
The Director of OMB should establish a process for monitoring and holding agencies accountable for authorizing cloud services through FedRAMP. (Recommendation 1)
|
OMB neither agreed nor disagreed with this recommendation. In May 2023, OMB stated that it had established a process for holding agencies accountable for authorizing cloud services through FedRAMP and that it was working with the FedRAMP program management office to document the process. In its March 2024 update, OMB stated that it has actions underway. We will update the status of this recommendation when OMB provides information on its corrective actions. However, OMB has yet to provide support or planned dates for documenting the process. To fully implement this recommendation, OMB needs to collect data on the extent to which federal agencies are using cloud services authorized outside of FedRAMP and oversee agencies' compliance with using the program. Greater OMB oversight through such a process could increase federal agency participation in the FedRAMP program. It also may provide greater assurance that agency information stored in a cloud environment is better protected and aligns with federal security requirements.
|
GSA Office of the Administrator | The Administrator of GSA should direct the Director of FedRAMP to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. (Recommendation 2) |
In fiscal year 2021, we verified that the Director of FedRAMP, in response to our recommendation took actions to clarify guidance to agencies and cloud service providers on program requirements and responsibilities. Specifically, the FedRAMP Program Management Office (PMO) updated the Customer Implementation Summary and Customer Responsibility Matrix templates for high, moderate, and low systems to include clear guidance for agencies and cloud service providers' responsibilities. Additionally, the FedRAMP PMO continued to host training opportunities for agencies and cloud service providers to help clarify guidance on the program's requirements and responsibilities. The PMO also streamlined the FedRAMP website to make it easier to access guidance and templates, among other things. These actions help ensure that responsibilities for implementing the program are clear and help agencies to better implement security controls over the cloud services they authorized.
|
GSA Office of the Administrator | The Administrator of GSA should direct the Director of FedRAMP to improve the program's continuous monitoring process by allowing more automated capabilities, including for agencies to review documentation. (Recommendation 3) |
According to the General Services Administration (GSA), it has taken several actions to address the recommendation. In June 2021, GSA reported that the FedRAMP Program Management Office (PMO), in collaboration with the National Institute of Standards and Technology, developed a common machine-readable language to automate the submission and review of security deliverables associated with authorization and continuous monitoring. Additionally, in January 2022, GSA official stated that the agency drafted a framework and guidance intended to provide FedRAMP's clients and the PMO with a secure solution for their data transfer and storage needs in a secure public facing Web Application Programmer Interfaces (WebAPI) ecosystem. As of July 2023, these documents have not been finalized. Further, the GSA official reported that FedRAMP is planning on implementing WedAPIs as an integral part of the automation effort, and it is currently working on a platform to deploy APIs. We will continue to monitor the agency's efforts to implement the recommendation.
|
GSA Office of the Administrator | The Administrator of GSA should update security plans for selected systems to include the description of security controls and reviews and approvals plan. (Recommendation 4) |
In fiscal year 2021, we verified that GSA, in response to our recommendation, updated security plans for selected systems to include the description of security controls and reviews and approvals of the plans. By taking this action GSA has an increased assurance that security controls are in place and operating as intended.
|
GSA Office of the Administrator | The Administrator of GSA should update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 5) |
In fiscal year 2022, we verified that GSA, in response to our recommendation, updated the security assessment report for the selected system to identify the summarized results of control effectiveness tests. By taking this action GSA has an increased assurance that the controls intended to protect agency data in the cloud environment are in place and operating effectively.
|
GSA Office of the Administrator | The Administrator of GSA should update the list of corrective actions for selected systems to identify the responsible office and estimated funding required and anticipated source of funding. (Recommendation 6) |
In fiscal year 2022, we verified that GSA, in response to our recommendation, identified the party responsible for addressing the weakness and estimated funding required and anticipated source of funding for the selected systems. By taking this action, GSA has an increased assurance that the agency is more effectively assessing, prioritizing, and monitoring efforts to resolve weaknesses in the agency's system.
|
GSA Office of the Administrator | The Administrator of GSA should develop guidance requiring that cloud service authorization letters be provided to the FedRAMP program management office. (Recommendation 7) |
In fiscal year 2021, we verified that GSA, in response to our recommendation, updated its guidance to require that cloud service authorization letters be provided to the FedRAMP Program Management Office (PMO). This action may reduce the risk that the FedRAMP PMO will not have accurate information on GSA's usage of approved cloud services.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of CDC to update the security plan for the selected system to identify the authorization boundary, the system operational environment and connections, a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 8) |
In fiscal year 2022, we verified that CDC, in response to our recommendation, updated the security plan for its selected system to fully document required information, including the description of the authorization boundary, system operational environment and connections, security controls, in addition to the individual reviewing and approving the plan and date of approval. By taking this action, CDC has an increased assurance that security controls are properly in place and operating as intent, which met the intent of our recommendation.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of CDC to update the security assessment report for the selected system to identify the summarized results of control effectiveness tests. (Recommendation 9) |
In fiscal year 2022, we verified that CDC, in response to our recommendation, updated the security assessment report to include a summary of the control status and implementation for the selected system. By taking this action, CDC has an increased assurance that security controls are in place and operating as intended.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of CDC to update the list of corrective actions for the selected system to identify the specific weaknesses, funding source, changes to milestones and completion dates, identified source of weaknesses, and status of corrective actions. (Recommendation 10) |
In fiscal year 2022, we verified that CDC, in response to our recommendation, updated its remedial action plans to include the required information. Because of these steps, CDC has increased its ability to effectively assess, prioritize, and monitor efforts to resolve weaknesses in their information systems
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Administrator of CMS to update the system security plans for selected systems to identify a description of security controls. (Recommendation 11) |
In fiscal year 2022, we verified that CMS, in response to our recommendation, updated the system security plans for selected systems to identify a description of security controls. By taking this action, CMS has increased assurance that security controls are properly in place and operating as intended.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Administrator of CMS to update the security assessment report for selected system to identify the summarized results of control effectiveness tests. (Recommendation 12) |
In fiscal year 2023, we verified that CMS, in response to our recommendation, updated the security assessment report for the selected system to identify the summarized results of control effectiveness tests . By taking this action, CMS has an increased assurance that security controls are in place and operating as intended.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Administrator of CMS to update and document the CMS remedial action plan for the selected system to identify the anticipated source of funding. (Recommendation 13) |
In fiscal year 2022, we verified that CMS, in response to our recommendation, updated and documented its remedial action plans to identify the anticipated source of funding. By taking this action, CMS has increased its ability to effectively assess, prioritize, and monitor efforts to resolve weaknesses in its information systems.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Administrator of CMS to prepare letters authorizing the use of cloud services for the selected systems and submit the letters to the FedRAMP program management office. (Recommendation 14) |
In fiscal year 2022, we verified that CMS, in response to our recommendation, prepared the letters authorizing the use of cloud services for the selected systems and submitted the letters to the FedRAMP PMO. This action increases assurance that the PMO has accurate information on CMS's usage of approved cloud services. Further, having such information will help the PMO in notifying agencies when a service provider's authorization has been revoked or a provider has experienced a security incident.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of NIH to update security plans for selected systems to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. (Recommendation 15) |
In June 2022, NIH decommissioned one of the selected systems. In fiscal year 2023, we verified that NIH, in response to our recommendation, updated the system security plan for the other selected system to identify the authorization boundary, system operation in terms of mission and business processes, operational environment and connections, and a description of security controls. By taking this action, NIH has increased assurance that security controls are properly in place and operating as intended.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of NIH to update the security assessment report for selected systems to identify summarized results of control effectiveness tests. (Recommendation 16) |
In June 2022, NIH decommissioned one of the selected systems. In fiscal year 2023, we verified that NIH, in response to our recommendation, updated the security assessment report for the other selected system to identify summarized results of control effectiveness tests. By taking this action, NIH has an increased assurance that security controls are in place and operating as intended.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of NIH to update the NIH list of corrective actions for selected systems to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. (Recommendation 17) |
In June 2022, NIH decommissioned one of the selected systems. In fiscal year 2023, we verified that NIH, in response to our recommendation, updated and documented its remedial action plans for the other selected system to identify estimated funding and anticipated source of funding, key milestones with completion dates, and changes to milestones and completion dates. By taking this action, NIH has increased its ability to effectively assess, prioritize, and monitor efforts to resolve weaknesses in its information system.
|
Office of the Secretary for HHS | The Secretary of HHS should direct the Director of NIH to submit the division's letters authorizing the use of cloud services for the selected systems to the FedRAMP program management office. (Recommendation 18) |
In June 2022, NIH decommissioned one of the selected systems. In fiscal year 2023, we verified that NIH, in response to our recommendation, submitted the letter authorizing the use of cloud service for the other selected systems to the FedRAMP PMO. This action increases assurance that the PMO has accurate information on NIH's usage of approved cloud services. Further, having such information will help the PMO in notifying agencies when a service provider's authorization has been revoked or a provider has experienced a security incident.
|
Environmental Protection Agency | The Administrator of EPA should update security plan for the selected operational system to identify a description of security controls, and the individual reviewing and approving the plan and date of approval. (Recommendation 19) |
In fiscal year 2023, we verified that EPA, in response to our recommendation, updated the security plan for the selected operational system to include the description of security controls and review and approval of the plan and the date of approval. By taking this action EPA has an increased assurance that security controls are in place and operating as intended.
|
Environmental Protection Agency | The Administrator of EPA should update the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. (Recommendation 20) |
In fiscal year 2023, we verified that EPA, in response to our recommendation, updated the security assessment report for the selected operational system to identify the summarized results of control effectiveness tests. By taking this action EPA has an increased assurance that the controls intended to protect agency data in the cloud environment are in place and operating effectively.
|
Environmental Protection Agency | The Administrator of EPA should update the list of corrective actions for the selected operational system to identify the specific weakness, estimated funding and anticipated source of funding, key remediation milestones with completion dates, changes to milestones and completion dates, and source of the weaknesses. (Recommendation 21) |
In May 2023, we requested supporting documentation to close this recommendation. Once EPA provides the supporting documentation, we will provide updated information.
|
Environmental Protection Agency | The Administrator of EPA should prepare the letter authorizing the use of cloud service for the selected operational system and submit the letter to the FedRAMP program management office. (Recommendation 22) |
In May 2023, we requested supporting documentation to close this recommendation. Once EPA provides the supporting documentation, we will provide updated information.
|
Environmental Protection Agency | The Administrator of EPA should develop guidance requiring that cloud service authorization letter be provided to the FedRAMP program management office. (Recommendation 23) |
In May 2023, we requested supporting documentation to close this recommendation. Once EPA provides the supporting documentation, we will provide updated information.
|
U.S. Agency for International Development | The Administrator of USAID should update the list of corrective actions for the selected system to include the party responsible for addressing the weakness, and source of the weakness. (Recommendation 24) |
In fiscal year 2020, we verified that USAID, in response to our recommendation, updated the list of corrective actions for the selected system to include the party responsible for addressing the weakness, and identified the source of the weakness. By taking this action, USAID has an increased assurance it is effectively assessing, prioritizing, and monitoring efforts to resolve weaknesses in the agency's system.
|
U.S. Agency for International Development | The Administrator of USAID should prepare the letter authorizing the use of cloud service for the selected system and submit the letter to the FedRAMP program management office. (Recommendation 25) |
In fiscal year 2020, we verified that USAID, in response to our recommendation, prepared the letter authorizing the use of cloud service for the selected system and submitted the letter to the FedRAMP program management office. This action reduces the risk that the office will not have accurate information on USAID's usage of approved cloud services.
|