FedRAMP Certified vs. Non-FedRAMP Certified Cloud Services at the USDOT

Since the publication in May 2021 of Executive Order 14028 directing federal agencies to shore up their cybersecurity posture by building out zero trust architecture (ZTA), the U.S. Department of Transportation (DOT) has been investing in cloud-based capabilities. The Office of the Inspector General (OIG) decided therefore to initiate an audit of the cloud services used by the DOT “to assess the effectiveness of the Department’s cloud systems’ security and privacy controls and strategy to secure cloud services in order to implement ZTA.” The OIG published its audit findings last week and they showed that the DOT does not consistently implement the security and privacy controls necessary to protect cloud-based systems. Additionally, noted the OIG:

• The DOT does not effectively follow federal requirements and best practices to protect cloud systems from cyberattacks.
• The DOT does not always effectively manage and secure the computing resources for its cloud-based systems by using secure configuration baselines, implementing multi-factor authentication, encrypting data, or updating software.
• The DOT does not consistently use the appropriate mechanisms to detect, mitigate, and report cyberattacks on cloud-based systems.

In conclusion, the OIG made 21 recommendations, two of which are directly related to the GSA’s FedRAMP Program. These recommendations included suggesting that the DOT Chief Information Officer:

• Submit an Authorization to Operate letter to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office before adopting and using cloud services to ensure (1) cloud services comply with FedRAMP security baselines, and (2) FedRAMP has an accurate inventory of DOT cloud services and cloud service providers.
• Conduct a quality and risk review of the Department’s cloud service providers cloud service offering authorization package to ensure that it clearly and accurately reflects the cloud service offering’s security posture so DOT’s Authorizing Official can make an informed risk-based authorization decision, as required by FedRAMP.

These recommendations got me wondering just how many FedRAMP certified cloud services the DOT actually uses and where the proverbial “holes” in non-FedRAMP certified systems could be found. The data I have for that is presented below.

FY 2020-2022 DOT Spending on FedRAMP Certified Systems vs. Non-FedRAMP Certified Systems

When separated by spending on FedRAMP certified cloud services by non-FedRAMP certified services, the data confirms the OIG’s findings. The DOT does spend more every year on FedRAMP certified services, but at the same time its spending on non-FedRAMP certified services also grows.

FY 2020-2022 FedRAMP Certified Services vs. Non-FedRAMP Certified Services

The chart above shows the number of cloud services used by the DOT from FY 2020 to 2022 divided into those that are FedRAMP certified and those that are not. This data shows as well that the DOT continues to used non-FedRAMP certified services. The number of uncertified services used is growing at a much slower pace. 

FY 2020-20222 FedRAMP Certified vs. Non-FedRAMP Certified Services Used by DOT Component

Drilling into the data by component reveals where the use of non-FedRAMP certified services is most prevalent. As is to be expected given its size, the Federal Aviation administration uses the highest number of uncertified cloud services. The Office of the Secretary is also a problem child when it comes to using uncertified cloud services. Ironically, even the OIG itself uses two cloud services that do not have FedRAMP certification.

Summing up, the DOT components shown above will need to remediate the holes in their cybersecurity posture identified by the OIG. The question for industry is if DOT/component staff will be addressing the challenge or if the DOT will work with an industry partner to accomplish its goals. Contractors working at the DOT may want to begin asking this question to see if there could be a business opportunity.