The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time. The owner is not an attorney, and nothing posted on this site should be construed as legal advice. Litigation Support Tip of the Night does not provide confirmation that any e-discovery technique or conduct is compliant with legal, regulatory, contractual or ethical requirements.
In December 2019, the United States Government Accountability Office (GAO) published a report on the spread of FedRAMP amongst government agencies, and the impact the program made on cyber security in the United States government. See, United States Government Accountability Office, CLOUD COMPUTING SECURITY: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed, Report No. 20-126 (Dec. 2019), available at https://www.gao.gov/assets/710/703193.pdf. FedRAMP is a program created by the Office of Management and Budget, and is administered by the General Services Administration. It sets guidelines to ensure cloud services are provided safely, rapidly, and in a cost effective manner.
Several big agencies had trouble implementing certain parts of the FedRAMP program, including the GSA itself:
. . . it was particularly difficult to fully implement plans to take remedial action. Government agencies were not ready to address the shortcomings in their cloud security. Funding may be a key part of the problem:
Of the 24 federal agencies surveyed by the GAO, less than half reported that the program improved their computer security.