The use of cloud computing is up among federal agencies, but agencies frequently skirt Office of Management and Budget requirements to ensure those cloud solutions are authorized by the Federal Risk and Authorization Management program, according to the Government Accountability Office.
In an audit released Dec. 12, GAO said the General Services Administration’s FedRAMP office, which checks that cloud solutions meet government security requirements, increased the number of issued authorizations 137% from 2017 to 2019.
However, 15 of 24 CFO Act agencies GAO surveyed reported that they did not always use FedRAMP in selecting cloud services. One agency—which GAO did not name—reported that it used “90 cloud services that were not authorized through FedRAMP,” while the remaining 14 agencies reported using a total of 157 unauthorized cloud services.
The audit lists several explanations provided by agency officials regarding their decision not to use FedRAMP-authorized cloud offerings despite violating OMB policy.
“Officials from two of the agencies stated that they were unable to identify providers authorized through the program that could meet their unique needs,” the audit states. “An official from a third agency noted that the efforts to meet the program’s requirements were labor-intensive and that it was too expensive for the providers to become compliant with FedRAMP. In addition, that official stated that providers did not want to pursue FedRAMP compliance unless they had enough demand from federal customers.”
In its audit, GAO includes explanations provided by the FedRAMP program management office. The FedRAMP official indicated “agencies had misperceptions of the program, its process and resources required” for authorizations. The official added that some agencies may not use FedRAMP “because of internal resource constraints based on other competing agency priorities.”
GAO added another reason: ..
Support the originator by clicking the read the rest link below.
