GAO wants OMB to prioritize agencies’ FedRAMP use, modernization and more
The White House has a new slew of recommendations to consider that the Government Accountability Office believes will contribute to the saving of federal funds, improved modernization efforts and better cybersecurity coordination.
In a report made public Monday, the congressional watchdog outlined 37 total priority recommendations to improve how the Office of Management and Budget encourages adequate technology-related practices across the federal landscape. Those recommendations include ensuring FedRAMP usage in agencies, releasing guidance for agencies’ implementation of transparent data requirements, modernizing legacy systems to avoid higher costs for maintenance, avoiding cybersecurity pitfalls and updating procedures for electronic information system functionalities for recordkeeping systems.
“OMB’s continued attention to these issues could yield significant cost savings and other improvements in government operations,” the GAO stated.
Here are five takeaways from the report:
Ensuring agency use of FedRAMP
A recent FedRAMP memo from OMB aims to reform the cloud security authorization program through strategic goals such as requiring cloud service providers (CSPs) to quickly mitigate any security architecture weaknesses to protect federal agencies from the most “salient threats.” The GAO report noted that OMB has yet to establish a process to hold agencies accountable for authorizing cloud services through the program.
GAO recommended in 2020 that OMB establish this process to measure the extent to which agencies are using cloud services authorized outside of FedRAMP and “oversee agencies’ compliance with using the program.” In 2023, OMB stated that it had established such a program and was working to document the process; as of March, OMB had yet to provide the GAO with planned dates for documenting the process.
“Greater OMB oversight through such a process could increase federal agency participation in the FedRAMP program,” the report stated. “It also may provide greater assurance that agency information stored in a cloud environment is better protected and aligns with federal security requirements.”
Additionally, OMB has yet to issue guidance to agencies to “ensure that they consistently track and report the costs of sponsoring a FedRAMP authorization of cloud services.” The government watchdog, which first delivered this recommendation in January, reported that OMB plans to provide an update this summer.
“OMB could help ensure that it has reliable and consistent cost data to determine whether it has achieved its goal of reducing FedRAMP costs,” the report said.
The missing memo
The GAO twice recommended that OMB offer guidance to agencies to “develop and maintain comprehensive data inventories,” per the OPEN Government Data Act’s requirement. OMB neither agreed nor disagreed with the recommendation, but confirmed in March that the final issuance is in progress.
“Without this guidance, agencies do not have clarity on timeframes for meeting their requirements under the [act] or guidance to help prioritize data assets for publication in their data inventories, which could delay their progress in meeting their requirements under the act,” the report noted.
While OMB has previously established a draft memo, there has been no established date for the final issuance.
Additionally, the GAO stated that the delay in guidance could lead to additional costs for agencies if they have to change their approach to data transparency after OMB releases the final guidance.
“Although agencies are making some progress toward implementing their requirements under the act, without this guidance, they do not have all the information required to address the act’s requirements on making data open by default,” the report said.
Michelle Sager, the managing director of the GAO’s strategic issues team, previously told FedScoop that the watchdog has not seen the OMB draft guidance for this memo.
“Fortunately, the [Chief Data Officer] Council does exist right now,” Sager said. “So that provides a forum for agencies to consider those lessons learned and talk about approaches that work or that they’ve tried and maybe have needed to recalibrate.”
Modernizing as a way to save money
The GAO renewed its calls from 2016 for OMB to “commit to a firm date” for when guidance on identifying legacy systems to be updated or replaced will be issued; the watchdog said that it is aware of a draft guidance for this effort.
While OMB agreed with the recommendation, it also said in March that the office believes it has “met the intent of the recommendation and considers the recommendation closed,” as 2018 guidance directs agencies to manage the risk to high-value assets regarding legacy systems.
GAO said that this does not require agencies to identify all legacy systems in need of modernization.
“Until OMB requires agencies to do so, the federal government will continue to run the risk of continuing to maintain IT investments that have outlived their effectiveness,” the report stated.
In another recommendation, the GAO recommended that OMB continue developing plans to address government-wide data challenges with the help of the CDO Council and the Category Management Leadership Council. Addressing this, along with two other recommendations to establish performance metrics and report cost savings, would save the government “billions of dollars” over five years, the watchdog said.
OMB agreed with all three recommendations from the GAO report.
Cybersecurity pitfalls
While OMB has addressed the GAO’s recommendation to establish a government-wide strategy for strengthening the cybersecurity workforce, as well as tracking and communicating progress for “solving” the cybersecurity workforce shortage, OMB still has additional steps to take to ensure agency collaboration on cybersecurity.
OMB did not agree or disagree with recommendations from the GAO that it should implement an approach that encourages federal agencies to collaborate with one another and coordinate with state government agencies that use federal data on cybersecurity assessments.
GAO stated that without OMB’s involvement in these efforts, “federal agencies are less likely to prioritize such efforts, which could lead to greater fragmentation of cybersecurity policies for states using federal data.”
The watchdog stated that OMB won’t have “reasonable assurance” that federal agencies are using relevant assessments, “which could lead to fragmented assessments across federal agencies.”
Updating policies for electronic recordkeeping
The GAO recommended that OMB establish a timeframe for updating policy and procedures to include required electronic information system functionalities for recordkeeping systems.
OMB agreed to the recommendation provided by the watchdog, and shared that the Executive Office of the President’s Office of Administration is “responsible for records management for all Executive Office components, which includes OMB.” As of March, OMB said that it considered the recommendation to be closed because it believed it met the intent of the recommendation.
The GAO, however, said that OMB never provided documentation or an established timeframe to show that policies and procedures were updated to include all of the required electronic system functionalities for the relevant systems.
“Without using electronic recordkeeping systems with appropriate functionalities, we continue to believe the OMB will face increased risk of not being able to reliably access and retrieve records needed to conduct agency business,” the report stated.
