close
close

GAO wants OMB to prioritize FedRAMP use, agency modernization and more

GAO wants OMB to prioritize FedRAMP use, agency modernization and more

The White House plans to review a series of new recommendations that the congressional watchdog says will help save federal funds, increase modernization efforts and improve cybersecurity coordination.

In a report released Monday, the Government Accountability Office outlined a total of 37 priority recommendations to improve the way the Office of Management and Budget promotes appropriate technology-related practices across the federal landscape. These recommendations include ensuring the use of FedRAMP in agencies, publishing guidance on how agencies should implement transparent data requirements, modernizing legacy systems to avoid higher maintenance costs, avoiding cybersecurity pitfalls, and updating procedures for electronic information system functions for data management systems.

“OMB’s continued attention to these issues could result in significant cost savings and other improvements in government operations,” the GAO said.

Here are five findings from the report:

Ensuring the Agency’s use of FedRAMP

A recent FedRAMP memo from the OMB aims to reform the cloud security authorization program through strategic objectives, such as requiring cloud service providers (CSPs) to quickly remediate security architecture vulnerabilities to protect federal agencies from the “most important threats.” The GAO report found that the OMB has not yet established a process to hold agencies accountable for authorizing cloud services through the program.

GAO recommended in 2020 that OMB implement this process to measure the extent to which agencies use cloud services authorized outside of FedRAMP and “monitor agencies’ compliance with the program’s use.” In 2023, OMB stated that it had implemented such a program and was working to document the process; as of March, OMB had not yet provided GAO with any planned dates for documenting the process.

“Stronger OMB oversight through such a process could increase federal agency participation in the FedRAMP program,” the report said. “It could also provide greater assurance that agency information stored in a cloud environment is better protected and meets federal security requirements.”

In addition, the OMB has not yet issued guidance to agencies to “ensure that they consistently track and report the costs of promoting FedRAMP authorization of cloud services.” The government regulator, which first made this recommendation in January, reported that the OMB plans to provide an update this summer.

“OMB could help ensure that it has reliable and consistent cost data to determine whether it has achieved its goal of reducing FedRAMP costs,” the report said.

The missing memo

GAO twice recommended that OMB provide guidance to agencies on “developing and maintaining comprehensive data sets” as required by the OPEN Government Data Act. OMB neither agreed nor disagreed with the recommendation, but confirmed in March that final issuance was in the works.

“Without this guidance, agencies will not have clarity on timeframes for meeting their requirements under the (Act) or guidance on prioritizing data sets for publication in their data inventories, which could delay their progress in meeting their requirements under the Act,” the report said.

Although the OMB had previously prepared a draft memo, there is no set date for its final publication.

In addition, GAO stated that the delay in issuing the guidance could result in additional costs for agencies if they need to change their approach to data transparency after OMB issues the final guidance.

“Although agencies are making some progress in implementing their legal requirements, without this guidance they do not have all the information they need to meet the legal requirements regarding standard data disclosure,” the report said.

Michelle Sager, executive director of GAO’s strategic issues team, previously told FedScoop that the regulator had not seen the OMB draft guidance for this memo.

“Fortunately, we have the (Chief Data Officer) Council right now,” Sager said. “It provides a forum for agencies to consider lessons learned and talk about approaches that are working or that they’ve tried and may have needed to recalibrate.”

Modernization as a way to save money

GAO reiterated its 2016 request that OMB commit to a “firm date” for issuing guidance to identify legacy systems that need to be updated or replaced. The regulator said it was aware of draft guidance for that effort.

While the OMB agreed with the recommendation, it also stated in March that it believed it had “fulfilled the intent of the recommendation and considers the recommendation closed” because the 2018 guidance directs agencies to manage risk to high-value assets associated with legacy systems.

The GAO explained that this does not require agencies to identify all legacy systems that need modernization.

“Unless OMB requires agencies to do so, the federal government continues to risk maintaining IT investments that have lost their effectiveness,” the report said.

In another recommendation, GAO recommended that OMB continue to develop plans to address agency-wide data challenges with the help of the CDO Council and the Category Management Leadership Council. Implementing that plan, along with two other recommendations on setting performance metrics and reporting cost savings, would save the government “billions of dollars” over the next five years, the regulator said.

OMB agreed with all three recommendations of the GAO report.

Pitfalls of cybersecurity

While OMB has adopted GAO’s recommendation to develop a government-wide strategy to strengthen the cybersecurity workforce and to track and communicate progress in “solving” the cybersecurity talent shortage, it must take further steps to ensure interagency cooperation on cybersecurity issues.

OMB neither agreed nor disagreed with GAO’s recommendations. It should implement an approach that encourages federal agencies to collaborate with each other and coordinate with state agencies that use federal data to assess cybersecurity.

The GAO stated that without OMB’s involvement in these efforts, “federal agencies would be less likely to prioritize such efforts, which could lead to greater fragmentation of cybersecurity policies for states that use federal data.”

The regulator said OMB did not have “reasonable assurance” that federal agencies were using relevant assessments, “which could result in fragmentation of assessments across federal agencies.”

Electronic data storage update guidelines

GAO recommended that OMB establish a timeframe for updating policies and procedures to include the required electronic information system capabilities for data storage systems.

The OMB agreed with the regulator’s recommendation, saying that the Executive Office of the President’s Office of Administration “is responsible for data management for all components of the Executive Office, including the OMB.” In March, the OMB said it considered the recommendation final because it believed it met the intent of the recommendation.

However, GAO stated that OMB never provided documentation or an established time frame to demonstrate that policies and procedures had been updated to include all required electronic system features for the relevant systems.

“Without the use of electronic records systems with appropriate capabilities, we continue to believe that OMB faces an increased risk of not being able to reliably access and retrieve the data necessary to carry out the agency’s activities,” the report said.

Caroline Nihill

Written by Caroline Nihill

Caroline Nihill is a reporter for FedScoop in Washington, DC, covering federal IT. Her research has included the White House and Congress’ pursuit of artificial intelligence and modernization efforts across the federal government. Caroline was previously an editorial staff writer at Scoop News Group and wrote for FedScoop, StateScoop, CyberScoop, EdScoop, and DefenseScoop. She earned her bachelor’s degree in media and journalism from the University of North Carolina at Chapel Hill after transferring there from the University of Mississippi.

Leave a Reply

Your email address will not be published. Required fields are marked *