Federal agencies plan to spend billions of dollars each year to support their IT and cybersecurity efforts, including transitioning IT resources to secure, cost-effective commercial cloud services. Agencies can use cloud computing to access IT resources, such as servers that store digital files, through the Internet faster and for less money than it would take to own and maintain such resources.
The Government Accountability Office (GAO) has identified challenges in four areas that agencies must overcome to fully realize the benefits of transitioning to cloud services. Specifically, agencies face challenges in ensuring cybersecurity, procuring cloud services, maintaining a skilled workforce, and tracking costs and savings.
A snapshot published by GAO on September 28 discusses the watchdog’s work in this area and provides recommendations that can help agencies with this transition.
It is worth noting that some of GAO’s prior work was undertaken before May 2021, when the President issued Executive Order 14028, detailing the goal to modernize federal cybersecurity by accelerating the movement to secure cloud services, adopting security best practices, and advancing towards Zero Trust Architecture cybersecurity plans.
In 2011, the Office of Management and Budget (OMB) established the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach for selecting and authorizing the use of cloud services that meet federal security requirements.
In December 2019, GAO reported that, while all 24 major federal agencies were participating in FedRAMP, many of these agencies continued to use cloud services that were not authorized through the program. In addition, the four major agencies selected for a detailed review did not always include required information in their cloud system’s security plans; summarize security control test results in security assessment reports; and identify required information in remedial action plans that are to list cloud service deficiencies and how they will be mitigated.
GAO found that one cause of these weaknesses was that FedRAMP’s requirements and guidance on implementing these control activities were not always clear and the program’s process for monitoring the status of security controls over cloud services was limited.
Consequently, GAO recommended that OMB hold agencies accountable for authorizing cloud services through FedRAMP. The watchdog also recommended that federal agencies improve the implementation of the FedRAMP program, including clarifying guidance on program requirements and responsibilities. At the time, OMB responded to GAO’s recommendation by stating that OMB does not have a mechanism for enforcing agencies’ compliance with its guidance on FedRAMP.
Procuring cloud services
GAO points out that an important part of procuring cloud services is incorporating a service level agreement into the contract. These agreements define the level of service and performance that the agency expects the contractor to meet. In April 2016, the watchdog reported that five of the major agencies that it selected for review did not always incorporate key practices for these agreements in their cloud service contracts. For example, the agencies did not always specify what constitutes a security breach and the responsibilities for notifying the agency; how data and networks will be managed; and the range of enforceable consequences for non-compliance with the agreement.
GAO determined that this was primarily due to the lack of guidance that fully addressed the key practices. It therefore recommended that satisfactory guidance was developed. Some agencies, such as the Department of Defense (DOD) and the Department of Homeland Security (DHS), concurred with the recommendation. DOD stated that it would update its cloud computing guidance and contracting guidance as appropriate. DHS said it would establish common cloud computing service level agreement guidance. In June, the Cybersecurity and Infrastructure Security Agency (CISA) published the second version of its Cloud Security Technical Reference Architecture (TRA). The DHS component, along with the United States Digital Service and FedRAMP, developed the TRA to guide agencies’ secure migration to the cloud by defining and clarifying considerations for shared services, cloud migration, and cloud security posture management.
Maintaining a skilled workforce
Having skilled IT personnel is key to supporting the federal government’s cloud adoption efforts. However, GAO has previously found cloud-related workforce challenges at three federal agencies.
The Coast Guard did not include new cloud-related skills and a skills gap analysis for cloud personnel in its workforce development strategy. GAO recommended in July this year that Coast Guard update the service’s cloud strategy and other relevant documentation to include a cross-walk of new and old skills and occupational categories, and to conduct a skills gap analysis. The Coast Guard agreed and expects to complete the work by May 2023.
GAO also found that DOD did not strategically plan for communicating with employees to prepare them for changes that would occur due to the move to cloud services. DOD stated at the time that it intended to complete a zero-based review of cyber and IT personnel and submit the results to Congress. The Department has also stated that it would update or issue workforce planning guidance and application rationalization guidance by September 2024.
Additionally, GAO said in July 2022 that the Department of State’s strategic plan did not include performance measures, targets, or goals to monitor progress towards clarifying job responsibilities and requirements needed to support the cloud environment. State said it was in the process of drafting an IT strategic workforce plan for the Civil Service and Foreign Service that it expects to be completed by the first quarter of fiscal year 2023.
Tracking costs and savings
Federal policies and guidance have stressed the importance of reducing acquisition and operating costs by purchasing cloud services through the adoption of cloud computing. However, in April 2019, GAO reported that federal agencies experienced challenges in tracking and reporting cloud spending and savings data. For example, federal agencies were often using inconsistent data to calculate cloud spending and were not clear about the costs they were required to track. In addition, agencies had difficulty in systematically tracking savings data and expressed that OMB guidance did not require them to explicitly report savings from cloud implementations.
GAO is not alone in its concern for federal IT cloud security. For example, following less than satisfactory findings on the Department of Transportation’s (DOT) information and cybersecurity practices, the Office of Inspector General (OIG) at the Department of Transportation (DOT) initiated a further two audits in November 2021 to determine cybersecurity standards at the Department. OIG said at the time that there was “uncertainty over whether DOT is reporting a complete inventory of its cloud systems, DOT’s cloud systems are secure, and DOT has a strategy to address the Administration’s cybersecurity goals”.