The Government Accountability Office (GAO) has looked at how four agencies implemented key cloud security practices, like having a plan to respond to incidents. While the agencies implemented some of the security practices, GAO found that none of them fully implemented all of the practices for their systems.
Cloud services—on-demand access to shared resources such as networks, servers, and data storage—can help federal agencies deliver better IT services for less money. But without effective security measures, these services can make agencies vulnerable to risks such as cyber attacks.
In January 2022, the Office of Management and Budget released its memorandum on Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, which required agencies to meet specific cybersecurity standards and objectives by the end of fiscal year 2024.
GAO’s four selected agencies—the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury—varied in their efforts to implement the six key cloud security practices that the government watchdog evaluated.
For example, GAO found that the agencies partially implemented the practice regarding continuous monitoring for some or all of the systems. Although the agencies developed a plan for continuous monitoring, they did not always implement their plans.
According to federal guidance, agencies are to perform continuous monitoring of their cloud systems. Continuous monitoring helps agencies ensure that their ongoing awareness of the system security and privacy posture supports organizational risk management decisions. To fully implement this practice, an agency should develop and implement a plan for continuously monitoring the security controls that are the agency’s responsibility. In addition, an agency should perform periodic (e.g., monthly) reviews of continuous monitoring reports (e.g., security control assessments) from cloud service providers. Further, an agency should document the use of vulnerability management procedures and tools to monitor the agency’s cloud infrastructure and collect and review audit logs, as applicable.
GAO’s review found that DHS developed a plan for continuously monitoring the security controls that are the agency’s responsibility for its Software as a Service system, however, the agency had not fully implemented the plan. Specifically, the agency had not performed annual assessments of the security controls, as required by the continuous monitoring plan. The last assessment performed was in June 2020 and officials stated that they plan to complete the next assessment in 2023.
In addition, agencies partially implemented or did not implement the practice regarding service level agreements for some of the systems. Specifically, agencies’ service level agreements did not consistently define performance metrics, including how they would be measured, and the enforcement mechanisms.
Agency officials cited several reasons for their varied implementation of the key practices, including acknowledging that they had not documented their efforts to address the requirements.
GAO is concerned that until these agencies fully implement the cloud security key practices identified in federal policies and guidance, the confidentiality, integrity, and availability of agency information contained in these cloud systems is at increased risk. Consequently, it has made a total of 35 recommendations: seven to Agriculture, nine to DHS, nine to Labor, and 10 to Treasury. DHS concurred with the recommendations addressed to the agency and provided comments on meeting these or work already underway to do so. For example, DHS stated that it expects to complete its efforts to ensure that its contracts with cloud service providers include requirements for the service providers to comply with security authorization FedRAMP requirements by the end of July 2023.