Cloud Computing Security: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed

reportActive / Technical Report | Accession Number: AD1116066 | Open PDF

Abstract:

Federal agencies use internet-based cloud services to fulfill their missions. GSA manages FedRAMP, which provides a standardized approach to ensure that cloud services meet federal security requirements. OMB requires agencies to use FedRAMP to authorize the use of cloud services. GAO was asked to review FedRAMP. The objectives were to determine the extent to which 1 federal agencies used FedRAMP to authorize cloud services, 2 selected agencies addressed key elements of the programs authorization process, and 3 program participants identified FedRAMP benefits and challenges. GAO analyzed survey responses from 24 federal agencies and 47 cloud service providers. GAO also reviewed policies, plans, procedures, and authorization packages for cloud services at four selected federal agencies and interviewed officials from federal agencies, the FedRAMP program office, and OMB.

Author(s):
Wilshusen, Gregory C.
Author Organization(s):
United States Government Accountability Office Washington United States
Descriptive Note:
Technical Report
Pagination:
0087

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:
Approved For Public Release
Distribution Statement:
Approved For Public Release;

RECORD

Collection: TR
Identifying Numbers
Report Number(s):
GAO-20-126
 Subject Terms
Joint Capability Areas:
JCA_5_Command and Control; JCA_6.4.1_Secure Information Exchange; JCA_5.3_Planning; JCA_6_Net Centric; JCA_6.4_Information Assurance; JCA_5.6_Monitor; JCA_6.2.1_Information Sharing; JCA_6.2.2_Computing Services; JCA_5.6.4_Assess Guidance; JCA_6.2.3_Core Enterprise Services; JCA_5.3.4_Develop Courses of Action; JCA_5.3.5_Analyze Courses of Action; JCA_5.3.2_Apply Situational Understanding; JCA_5.3.3_Develop Strategy; JCA_6.2_Enterprise Services; JCA_5.6.3_Assess Achievement of Objectives; JCA_5.6.1_Assess Compliance with Guidance; JCA_5.5.1_Communicate Intent and Guidance; JCA_5.5_Direct; JCA_3.2_Engagement; JCA_3_Force Application
Modernization Areas:
Cyber
Communities of Interest:
Cyber
Descriptor(s):
cloud computing, cybersecurity, internet, standards, GAP ANALYSIS, reliability, electronic mail, information systems
Field(s)/Group(s):
Computer Systems Management and Standards, Information Science
Keyword(s):
fedramp, cloud services, authorization
Report Date:
2019 Dec 01
Creation Date:
2020 Nov 25