While the Federal government certifies cloud vendors as secure through the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP), an official at the Government Accountability Office (GAO) shared striking statistics about agencies going outside of the program for cloud vendors, which can lead to vulnerabilities.
Nick Marinos, the director of GAO’s IT and cybersecurity office, shared and warned of the consequences of the inconsistencies GAO has witnessed, as well as previewed some of the reports the agency is working on to combat the issue at a June 16 NextGov webinar.
Marinos mentioned two cases that GAO witnessed in reviewing agencies’ compliance with FedRAMP. In one, Marinos said a single agency had used vendors outside the FedRAMP program 90 times for cloud services. In another, Marinos said GAO reviewed 14 agencies and they reported 157 cloud services being done by that were not authorized through the FedRAMP program.
“The problem there [is] the inconsistency leads to vulnerability,” Marinos said. “If the agency now has the responsibility to on its own, assess the viability [and] the cybersecurity capabilities of the cloud provider, then we’re losing economies of scale.”
“We’re losing the benefit of having a certain amount of expertise in key parts of the Federal government that can do that sort of vetting for the agencies, [which is] the whole point and the purpose of FedRAMP,” Marinos said.
Marinos said one of the benefits of the recent White House cyber executive order (EO) is that it sets expectations for how vendor programs need modernization and for agencies like the Office of Management and Budget (OMB) and GSA can look at how FedRAMP can better service agencies.
“One of the key elements that I would just kind of come back to is, whether it’s a cloud provider that you are acquiring yourself or as an agency leader … or using the FedRAMP process, the law says the agency head is responsible for ensuring the cybersecurity of government information, whether the government agency itself is processing it, or someone is doing it on its behalf,” Marinos said. “That puts them squarely in place of doing good oversight of contractors.”
Marinos said the GAO in addition to having “quite a few” reports in the pipeline about vendor cloud security, the agency is also working on a review of the ongoing Federal efforts on the topic of ransomware.
“That’s quite a big topic of interest within Congress, and so we hope that our report can help to advance some of the ideas, not only on how agencies can do better, but how Congress might want to consider legislation to make it an easier way for us to provide that support,” Marinos said.
Marinos said the ransomware report will focus on how the efforts of the Federal government to support state and local governments on the who find themselves on the wrong end of ransomware attacks. He also mentioned the GAO is likely to look at the FedRAMP program again in the near future as well.