Good news - US government cloud adoption is rising; bad news - over half of it isn't security compliant

Profile picture for user slauchlan By Stuart Lauchlan December 16, 2019
Even in an era when government systems exposure to interference is well-known, buyers and sellers are cutting corners.

compliance on document folder © cacaroot

The controversy around the awarding of the $10 billion JEDI contract has dominated headlines of late, but there’s good news and bad news about US government cloud take-up elsewhere. 

The good news - cloud adoption is on the rise across government; the bad news - over half of it isn’t going through the authorized channels and as such can be seen as risky security practice. 

A new study from the US Government Accountability Office (GAO) reveals that 15 out of 24 agencies examined have not always used the Federal Risk and Authorization Management Program (FedRAMP) as required when procuring cloud services. One agency alone had 90 instances of unauthorized cloud services procurement.  This has serious implications, warns the GAO: 

Weaknesses in these controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information.

FedRAMP has been in place since 2011, set up by the Office of Management and Budget (OMB) to ensure appropriate security levels for cloud service providers to meet, based on the types of data handled by the purchasing agency. There are three levels - low, moderate and high - with high impact data defined as that which could have a “catastrophic adverse effect” if compromised. 

Google Cloud Platform recently became the latest of the major providers to receive FedRAMP High authorization across 17 products that it is now able to sell into agencies with the most rigorous security requirements. 

Cutting corners 

On a positive note, FedRAMP authorizations have jumped from 390 to 926 between June 2017 and June 2019. Those authorizations were mostly for Software-as-a-Service - more than half on 56% - followed by Infrastructure-as-a-Service - 26% and Platform-as-a-Service (18%).

But despite awareness of FedRAMP across government, the likes of the General Services Administration, the US Environmental Protection Agency (EPA), the US Agency for International Development and the Department of Health and Human Services, need to clean up their acts and take action retrospectively to meet the requirements laid down. 

In a further criticism from the GAO, the OMB - which introduced FedRAMP in the first place - is accused of not effectively monitoring compliance with the requirement. Some 47 cloud service providers were questioned as part of the study, with 31 of them admitting that as recently as 2017, government customers had been making procurements without the proper authorization being in place. The GAO report states: 

OMB has issued a number of policies encouraging agencies to adopt cloud computing solutions and requiring agencies to use FedRAMP for authorizing cloud services. Nevertheless, OMB has not monitored agencies’ compliance or held agencies accountable for complying with the requirement to ensure that agencies are using the program to authorize their cloud services.

Focusing on the four agencies most closely examined, it adds: 

Although the four selected agencies included key documents supporting FedRAMP’s authorization process, they did not consistently include key information in those documents.

Interestingly, EPA CIO Vaughn Noga pushed back against the criticisms, arguing that the GAO comments were based on its examination of a system that was not in production or used for operational purposes.

On the sell side, cloud service providers complained that the FedRAMP certification process is too lengthy and cumbersome, while on the buy side, agencies had similar issues, citing cost and lack of skilled resources needed to understand the authorization requirements. Buyers also claimed that their specific needs were unique and as such didn’t get addressed by FedRAMP. These are not criticisms on either side

Among 25 recommendations, the GAO is now calling on the OMB to step up its monitoring of FedRAMP usage and that there should be clearer guidance on offer to all parties. For its part, the OMB isn’t entirely happy with the GAO conclusions, claiming that the methodology of the survey meant that its conclusions were based on perception, not objective fact. 

JEDI wars

Meanwhile the Department of Defense’s awarding of the JEDI - Joint Enterprise Defense Infrastructure - contract to Microsoft continues to attract controversy. Amazon has now filed a legal complaint openly accusing US President Donald Trump of interfering with the deal for personal and political gain.

According to Amazon’s complaint, Trump's interference made it impossible for the Pentagon to judge a winner “reasonably, consistently, and in a fair and equal manner”. It states: 

The stakes are high. The question is whether the President of the United States should be allowed to use the budget of DoD (Department of Defense) to pursue his own personal and political ends….In this case, the President made it widely known to everyone—including on publicly broadcast television and through his prolific tweets—that DoD should not award the JEDI contract to AWS (Amazon Web Services).

My take

The JEDI fuss is unique incident, but the outcome will set an important precedent. Microsoft is currently setting about hiring the necessary extra qualified staff to meet the contract’s demands, but it’s entirely possible that everything could end up on hold while the Trump accusations are addressed. On a more generic note, it is encouraging to see an uptick in cloud services adoption, but the seeming widespread indifference to the FedRAMP requirements is alarming. The OMB needs to wield a much bigger stick in the direction of buyers and sellers. The integrity of some of the most sensitive government systems can’t be left open to compromise, particularly in an era when interference by foreign governments is an acknowledged reality.