The WasteWatcher: The Staff Blog of Citizens Against Government Waste

FedRAMP Four Years Later

The WasteWatcher is the staff blog of Citizens Against Government Waste (CAGW) and the Council for Citizens Against Government Waste (CCAGW). For questions, contact

On June 6, 2012, the Federal Risk Assessment Management Program (FedRAMP) began accepting applications from cloud service providers and federal agencies to obtain authorization to operate (ATO) cloud services within the federal government.  On October 27, 2016, the Government Accountability Office (GAO) announced it will begin an audit of the program to measure its progress, strengths and weaknesses.

Agencies are required to use required to use FedRAMP when deploying cloud solutions instead of wasting time and taxpayer dollars creating their own separate processes for approval of cloud providers.  FedRAMP uses a framework co-developed by cloud and cybersecurity experts at GSA, National Institutes of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Administration, OMB, the federal CIO and private industry to assist government agencies make better decisions when purchasing cloud tools and services.  As of November 3, 2016, there are 77 cloud products with ATOs; 4 applications that are ready for authorization; and, 49 applications in process.    

GAO audits on programs like FedRAMP are critical to the improvement of programs within the federal government.  Therefore, it is good to review FedRAMP at this point in time.  Among concerns that have been raised over the years about the program are the high cost to applicants wishing to provide cloud services to the federal community, and the timeframe for obtaining an ATO. 

At a May 14, 2013 House Oversight and Government Reform Government Operations Subcommittee hearing, witnesses raised concerns about the lengthy process for FedRAMP’s certification process.  An October 27, 2016 article estimated the median cost to a company seeking an ATO to be around $2.25 million.  However, despite the high cost and lengthy approval time, FedRAMP offers benefits to federal agencies that include multiple routes to authorization; encouraging built-in security; ease for agencies to share ATOs once approved; and, broad appeal to federal, state, and local agencies wishing to minimize risk to data and constituent information.

Auditing a program after four years is a good way to measure its progress, and it will be interesting to review GAO’s assessment once it is released.


Sign Up for Email Updates!Click Here!

View Archives

Posts by Author

Posts by Tag

Big Government (152) Obamacare (75) Waste (74) Healthcare (70) Budget (69) Congress (69) Uncategorized (56) Telecommunications (50) Internet (48) Technology (45) Debt (43) Deficit (43)