A recent GAO report shows what many contractors already knew:  federal agencies don’t always live up to their FedRAMP responsibilities, even as the federal government expects contractors to do so.  GAO found that four large agencies, including DHS and Treasury, failed to document the authorization of the system and cloud service in use, provide an authorization letter to the FedRAMP program office, or failed to hold contractors accountable for FedRAMP requirements.  These larger agencies, the other two of which are Agriculture and Labor, should have the resources to follow through on the implementation and oversight of FedRAMP requirements.  Contractors know, however, that the problem can be worse in smaller agencies.  Anecdotal evidence shows that some are aware of what their own FedRAMP requirements are but don’t allocate the time or scarce resources needed to ensure compliance.  Failure to follow through doesn’t just create a potential security concern, it can leave contractors without the approvals they need to retain FedRAMP-approved status.  Companies can lose both current and prospective business when their sponsor agency fails to conduct the necessary tests.  There is, however, little accountability on the federal side for such failures.  GAO’s report stated, “Until the agencies fully implement each of the FedRAMP requirements, they will likely not fully identify the security risk of the system…”.  The concerns in the GAO report are not an indictment of GSA’s FedRAMP program, but rather of specific agency shortcomings.  Experience suggests that the report also only scratched the surface of what many in industry know to be a wider problem.  Only when the oversight community and/or Congress makes following through on FedRAMP responsibilities mandatory for agencies will the substantial investments industry has made in becoming FedRAMP certified, as well as the technology investments themselves, to be fully protected.