FedRAMP Lacks Mission Clarity According to Audit

A March 27 audit from GSA’s Office of the Inspector General (OIG) found that the Federal Risk and Authorization Management Program (FedRAMP) program lacked a way of measuring its success because its mission and goals were not clearly defined.

Federal cloud migrations lacked standardization before officials at the General Services Administration (GSA) collaborated with other federal agencies to create FedRAMP in 2011. FedRAMP was developed to accelerate the process of cloud adoption across the federal government. However, the audit pointed to a few problems with the program.

The main faults identified by the OIG lie within the mission statement – which “does not provide a clear and concise direction” – objective statements – which “are not specific and measurable” – and lack of overall alignment between mission, goals, and objectives.

Auditors claim that the mission statement was more of a list of goals than a succinct, singular narration of the broader context of the problem. Thus, the mission statement was “not presented in a way that [was] focused or easily communicated, creating confusion as to its central purpose and vision of what needs to be accomplished.”

Additionally, according to the audit, the objective statements were not specific enough to be understood by stakeholders and the public – or even easily distinguished from each other. OIG pointed out that one objective was “increase cloud services working with FedRAMP” while the other was “increase authorized cloud services,” and that these statements might not be clearly differentiable from each other without further clarification.

Still, some of the objective statements were not measurable or easily assessable, according to the audit. For example, the objective to “promote better understanding” did not state what was meant to be comprehended, or how better understanding would be measured.

The goals and objective statements aligned, but the connection did not extend back to the mission statement, the report stated. OIG, seeking a document linking mission and goals, said that the document showed a disconnect between the two. Some mission segments and goals had no corresponding objectives.

OIG said that linking the program to its mission, goals and objective statements is crucial for evaluation and management, and therefore FedRAMP requires revision at its core.

“The FedRAMP PMO [program management office] should review and revise its mission, goals, and objectives to ensure that they align in a cohesive manner to more effectively assess its progress and performance,” the audit reads.

Alan B. Thomas, Commissioner of the Federal Acquisition Service, responded to the audit by stating that the FedRAMP PMO reviewed the report and agreed with all of the recommendations. The FedRAMP PMO is set to develop a new mission statement that is consistent with the requirements set out by the report. The PMO will also revise the goals and objectives they’ve been working with to make sure that they are specific and measurable.

Leave a Comment

One Comment

Leave a Reply

Nya Jackson

Thanks for sharing. The examples you shared were helpful to see the areas the OIG thinks can be improved in the FedRAMP program. It has good intentions, and hopefully after implementing the OIG’s recommendations it can be even more effective.