FedRAMP Scrutiny Intensifies: Justice Department Investigates Cloud Security Claims
The Federal Risk and Authorization Management Program (FedRAMP), designed to ensure the security of cloud services used by U.S. Government agencies, is facing increased scrutiny as the Justice Department investigates potential misrepresentations made by cloud providers and their assessors. This comes amid concerns that the program may be overly reliant on self-reporting and third-party assessments paid for by the companies seeking authorization.
Growing Concerns Over FedRAMP Oversight
Critics argue that FedRAMP’s current structure places too much trust in the claims of cloud companies and the assessments of third-party firms they employ. This lack of independent verification raises questions about the program’s effectiveness in safeguarding sensitive government data. As Eric Mill, former GSA official and co-author of a 2024 White House memo, stated, “FedRAMP’s job is to watch the American people’s back when it comes to sharing their data with cloud companies. When there’s a security issue, the public doesn’t expect FedRAMP to say they’re just a paper-pusher.”
Justice Department Investigation Uncovers Potential Risks
Recent investigations by the Justice Department have highlighted potential security vulnerabilities within government cloud systems. For example, officials discovered that Microsoft utilized China-based engineers to service sensitive cloud systems, despite a prohibition against non-U.S. Citizens assisting with IT maintenance for the Justice Department. This information was initially revealed through a ProPublica investigation, not through FedRAMP or Microsoft directly.
Microsoft acknowledged that its initial security plan submitted to the Justice Department did not disclose the use of foreign engineers, although the company claims to have communicated this information to Justice officials prior to 2020. Microsoft has since discontinued the use of China-based engineers in government systems.
Accenture Employee Indicted for Fraudulent Security Claims
The Justice Department’s willingness to pursue cybersecurity fraud cases was demonstrated by the indictment of a former Accenture employee accused of making “false and misleading representations” about a cloud platform’s security to secure federal contracts. The employee is also accused of attempting to obstruct third-party assessments by concealing deficiencies and encouraging others to misrepresent the system’s capabilities. She has pleaded not guilty.
FedRAMP Modernization Efforts
FedRAMP is undergoing a significant revamp to comply with mandates approved by Congress in 2022, aiming to codify the program into federal law and accelerate evaluation and approval processes. The Office of Management and Budget (OMB) issued draft guidance in October 2023 to modernize FedRAMP and replace existing policies from 2011, though final guidance is still pending.
Recent Advisory Groups to Strengthen FedRAMP
To bolster the program’s technical expertise, the U.S. General Services Administration (GSA) established a Technical Advisory Group (TAG) in May 2024. This group comprises federal experts who will advise on the technical, strategic, and operational direction of FedRAMP. The TAG complements the work of the Federal Secure Cloud Advisory Committee, which includes both public and private-sector representatives. A new FedRAMP board also replaced the Joint Authorization Board (JAB) to govern FedRAMP provisional authorization.
Looking Ahead
As the government increasingly relies on cloud services, ensuring their security is paramount. The ongoing investigations and modernization efforts within FedRAMP signal a commitment to strengthening oversight and protecting sensitive data. The program’s success will depend on its ability to attract and retain technical expertise, enforce rigorous standards, and hold cloud providers accountable for their security claims.
Keep reading