GAO and Agency FedRAMP Cloud Service Offerings

Last week the Government Accountability Office (GAO) published the results of a study titled “Federal Authorization Program Usage Increasing, but Challenges Need to Be Fully Addressed.” The GAO’s objectives for the study included identifying “(1) the frequency and types of services agencies have used under FedRAMP; (2) the amounts of costs incurred by selected agencies and CSPs in pursuing FedRAMP authorizations; and (3) the key challenges selected agencies and CSPs face in the authorization process and … the extent to which [the General Services Administration] (GSA) and Office of Management and Budget (OMB) have taken actions to address them.”

To accomplish these goals, the GAO sent a questionnaire to the “Departments of Health and Human Services (HHS), Homeland Security (DHS), Labor, the Treasury, Veterans Affairs (VA); and the Small Business Administration (SBA).” GAO also queried “13 CSPs, including three small businesses, that had pursued FedRAMP authorizations.” They then analyzed the responses and reported the data. The most important of these observations, from this analyst’s perspective, are:

• The GSA has not yet fully implemented an earlier GAO recommendation to improve the FedRAMP program’s continuous monitoring process by allowing more automated capabilities.
• From July 2019 to April 2023, the 24 Chief Financial Officers’ Act agencies’ use of FedRAMP authorizations increased from 926 to 1,478 authorizations, representing a 60% increase.
• Agencies have primarily used FedRAMP authorizations for SaaS capabilities.
• Two of the six selected agencies (VA and Treasury) stated they had used cloud services that were not FedRAMP authorized. Another nine agencies reported to OMB that for the first quarter of fiscal year 2023 they were using cloud services that were not FedRAMP authorized.
• Fourteen agencies reported that they were only using FedRAMP authorized cloud services.
• Reported FedRAMP authorization costs ranged from $69K to $400K, with a few as low as $12K and one as high as $706K.

I’d like to compare some of this data to the cloud market data collected by GovWin’s Federal Market Analysis (FMA) team. As always, this data is freely available to the GAO and OMB, should they wish to see it. FMA’s data shows some discrepancies, which is why I post it here.

First, concerning the number of FedRAMP authorizations reported by the 24 CFO Act Agencies. FMA counts contract awards for cloud-based capabilities and then classifies them as FedRAMP-approved or not approved based on the information on the FedRAMP Marketplace website. This contrasts with the numbers reported by the GAO, which are for the number of authorizations each agency has completed. FMA’s numbers show that the use of FedRAMP-approved capabilities/services by CFO Act agencies rose from 1,029 in FY 2019 to 3,612 in FY 2022 (the last year for which we have full data). This means the use of FedRAMP’ed capabilities rose 251% over four years.

Second, regarding CFO Act agencies using non-FedRAMP-approved capabilities in Q1 of FY 2023. FMA’s data is for all of FY 2022. According to that data, these agencies used 2,137 non-FedRAMP-approved capabilities/services. This is up from 693 in FY 2019. Every agency awarded contracts for non-FedRAMP’ed capabilities/services in FY 2022. No agency notched a decline in the use of non-FedRAMP’ed capabilities/services from FY 2019-2022.

Summing up, FMA’s contract award data reveals trends similar to those in the GAO’s data. Federal agencies are in general using FedRAMP’ed capabilities/services more than ever. Similarly, FMA has been noting for years in its reports and blogs that agency use of SaaS has been rising the most. This is largely because large commodity service providers have locked up the market for Infrastructure- and, to a lesser extent, Platform-as-a-Service. By contrast, however, FMA’s data shows that agencies continue to use capabilities/services that are not FedRAMP approved. This is in part because many of those SaaS capabilities are hosted in FedRAMP-approved environments.

Whether FedRAMP has made cloud services safe to use remains unknown. After all, there have been several highly visible breaches of FedRAMP’ed services, including one reported only recently. That said, the FedRAMP Program is now ensconced in law, so it is here to stay.