Cloud Security: Selected Agencies Need to Fully Implement Key Practices

Fast Facts

Cloud services—on-demand access to shared resources such as networks, servers, and data storage—can help federal agencies deliver better IT services for less money. But without effective security measures, these services can make agencies vulnerable to risks such as cyberattacks.

We looked at how four agencies implemented key cloud security practices—like having a plan to respond to incidents. While the agencies implemented some of the security practices, none of them fully implemented all of the practices for their systems.

We made 35 recommendations to the agencies to fully implement key cloud security practices.

Graphic with a silver laptop that has black keyboard and clouds hovering over them

Highlights

What GAO Found

The four selected agencies—the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury—varied in their efforts to implement the six key cloud security practices that GAO evaluated. Specifically, three agencies fully implemented three practices for most or all of their selected systems, while another agency fully implemented four practices for most or all of its systems. However, the agencies partially implemented or did not implement the other practices for the remaining systems (see figure).

Agencies' Implementation of the Key Cloud Security Practices for Each of the Selected Systems

For example, the agencies partially implemented the practice regarding continuous monitoring for some or all of the systems. Although the agencies developed a plan for continuous monitoring, they did not always implement their plans. In addition, agencies partially implemented or did not implement the practice regarding service level agreements for some of the systems. Specifically, agencies' service level agreements did not consistently define performance metrics, including how they would be measured, and the enforcement mechanisms.

Agency officials cited several reasons for their varied implementation of the key practices, including acknowledging that they had not documented their efforts to address the requirements. Until these agencies fully implement the cloud security key practices identified in federal policies and guidance, the confidentiality, integrity, and availability of agency information contained in these cloud systems is at increased risk.

Why GAO Did This Study

Cloud computing provides agencies with potential opportunities to obtain IT services more efficiently; however, if not effectively implemented, it also poses cybersecurity risks. To facilitate the adoption and use of cloud services, the Office of Management and Budget and other federal agencies have issued policies and guidance on key practices that agencies are to implement to ensure the security of agency systems that leverage cloud services (i.e., cloud systems).

This report evaluates the extent to which selected agencies have effectively implemented key cloud security practices. To do so, GAO selected 15 cloud systems across four agencies (Agriculture, DHS, Labor, and Treasury), representing a broad range of services. GAO selected these agencies based on several factors, including the number of reported IT investments leveraging cloud computing. GAO compared relevant agency documentation against six key practices identified in federal policies and guidance. GAO rated each agency as having fully, partially, or not implemented each practice for the selected systems.

Recommendations

GAO is making 35 recommendations to four agencies to fully implement key cloud security practices. DHS concurred with the recommendations. Agriculture, Labor, and Treasury neither agreed nor disagreed with the recommendations. DHS, Labor, and Treasury described actions taken or planned to address the recommendations.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Agriculture	The Secretary of Agriculture should ensure that the agency fully documents the access authorizations for its selected PaaS system. (Recommendation 1)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing the continuous monitoring deliverables from the CSP and committing to a time frame to review audit logs. (Recommendation 2)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the agency fully implements continuous monitoring for its selected SaaS system 1, to include reviewing the continuous monitoring deliverables from the CSP and committing to a time frame to review audit logs. (Recommendation 3)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the agency fully implements continuous monitoring for its selected SaaS system 2, to include reviewing the continuous monitoring deliverables from the CSP. (Recommendation 4)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the agency's service level agreements with CSPs define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 5)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the agency provides the authorization letter to the FedRAMP PMO for its selected SaaS system 2. (Recommendation 6)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the agency's contracts with CSPs include requirements for the service providers to comply with FedRAMP security authorization requirements. (Recommendation 7)	Open As of September 2023, Agriculture has not provided an update on its efforts to address our recommendation.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements continuous monitoring for its selected SaaS system 2, to include implementing its plans for continuous monitoring of the security controls that are the agency's responsibility. (Recommendation 8)	Open The agency stated that it expected to finalize the continuous monitoring by May 31, 2023. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements continuous monitoring for its selected IaaS system, to include performing a regular review of the continuous monitoring deliverables from the CSP. (Recommendation 9)	Open The agency stated that through its role on the Federal Risk and Authorization Management Program's Joint Authorization Board, it has performed a regular review of the continuous monitoring deliverables from the cloud service provider. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include implementing its process to review the continuous monitoring deliverables from the CSP. (Recommendation 10)	Open The agency stated that it performs ongoing continuous monitoring activities, including deliverables review, with the cloud service provider through its responsibility and activities on the Federal Risk and Authorization Management Program's Joint Authorization Board. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements continuous monitoring for its selected SaaS system 1, to include implementing its process to review the continuous monitoring deliverables from the CSP. (Recommendation 11)	Open The agency stated that it has implemented a process to review the continuous monitoring deliverables from the cloud service provider, and that it routinely receives and reviews the cloud service provider deliverables. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency's service level agreements with CSPs define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 12)	Open The agency stated that it ensures that agency service level agreements (that define performance metrics) are in place whenever possible, including how they are measured and enforced. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements the FedRAMP requirements for its selected IaaS system, to include issuing an authorization for the CSP and providing an authorization letter to the FedRAMP PMO. (Recommendation 13)	Open The agency stated that through its responsibilities and activities on the Federal Risk and Authorization Management Program's Joint Authorization Board, it ensures the cloud service provider meets all of the program's requirements. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements the FedRAMP requirements for its selected PaaS system, to include issuing an authorization for the cloud service. (Recommendation 14)	Open The agency stated that through its responsibilities and activities on the Federal Risk and Authorization Management Program's Joint Authorization Board, it ensures the cloud service provider meets all of the program's requirements. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency fully implements the FedRAMP requirements for its selected SaaS system 2, to include issuing an authorization for the cloud service. (Recommendation 15)	Open The agency stated that through its responsibilities and activities on the Federal Risk and Authorization Management Program's Joint Authorization Board, the agency ensures the cloud service provider meets all of the program's requirements. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the agency's contracts with CSPs include requirements for the service providers to comply with security authorization FedRAMP requirements. (Recommendation 16)	Open Agency officials stated that they are updating their contract language to include additional details and clarifying requirements specifying compliance with the Federal Risk and Authorization Management Program's authorization requirements. The agency officials estimated that they would complete these efforts by July 31, 2023. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency fully implements continuous monitoring for its selected IaaS system, to include implementing its plans for continuous monitoring of the security controls that are the agency's responsibility. (Recommendation 17)	Open The agency stated that it has verified that annual assessments of cloud service providers, are formally documented, reviewed, and signed by appropriate levels of management. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing the continuous monitoring deliverables from the CSP. (Recommendation 18)	Open The agency stated that it documented its reviews of cloud service providers through its cybersecurity policy portfolio and that the agency performs monthly information security continuous monitoring activities to validate that requirements are met. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency's service level agreements with CSPs define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 19)	Open The agency stated that it reviews the service level agreements defined by the cloud service provider and if the service providers does not meet the requirements, the agency would receive credits. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency fully implements the FedRAMP requirements, to include performing a review and risk analysis of the CSPs' FedRAMP security packages for its selected IaaS system. (Recommendation 20)	Open The agency stated that it performs continuous monitoring consistent with the agency's policy. Specifically, the officials stated that according to the agency's policy, an annual review of assessments performed by third party assessment organizations (3PAO) is sufficient to document continuous monitoring. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency fully implements the FedRAMP requirements, to include issuing an authorization for the cloud service for its selected PaaS system. (Recommendation 21)	Open The agency stated that it has issued an authorization for the cloud service for its selected PaaS system. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency fully implements the FedRAMP requirements, to include issuing an authorization for the cloud service for its selected SaaS system 1. (Recommendation 22)	Open The agency stated that it has issued an authorization for the cloud service for its selected SaaS system 1. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency fully implements the FedRAMP requirements, to include issuing an authorization for each of the cloud services and performing a review and risk analysis of the CSPs' FedRAMP security packages for its selected SaaS system 2. (Recommendation 23)	Open The agency stated that it performs continuous monitoring consistent with the agency's policy. Specifically, the officials stated that according to the agency's policy, an annual review of assessments performed by third party assessment organizations (3PAO) is sufficient to document continuous monitoring. The agency provided additional documentation on its actions. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of Labor	The Secretary of Labor should ensure that the agency provides authorization letters to the FedRAMP PMO upon issuance of the authorization. (Recommendation 24)	Open The agency stated that it had provided authorization letters to the FedRAMP PMO. We plan to follow-up with the agency to validate its implementation of the recommendation, including that it had provided the letters upon issuance of its authorization for the cloud services.
Department of Labor	The Secretary of Labor should ensure that the agency's contracts with CSPs include requirements for the service providers to comply with FedRAMP security authorization requirements. (Recommendation 25)	Open Labor stated that its Cybersecurity Directorate plans to add a clause into the agency's standard contracting language for cybersecurity. Agency officials estimated the completion of these efforts by the end of fiscal year 2023. We plan to follow-up with the agency to validate its implementation of the recommendation and, to the extent possible, that the desired results are being achieved.
Department of the Treasury	The Secretary of the Treasury should commit to a date for completing efforts to define the delineation of security responsibilities between the agency and the CSP for its selected SaaS system 2. (Recommendation 26)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency commits to a time frame for when it plans to require the use of multifactor authentication for its selected SaaS system 1, and implements the plan. (Recommendation 27)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include implementing its plans for continuous monitoring of the security controls that are the agency's responsibility and reviewing the continuous monitoring deliverables from the CSP. (Recommendation 28)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency fully implements continuous monitoring for its selected SaaS system 2, to include implementing its plans for continuous monitoring of the security controls that are the agency's responsibility and documenting the use of vulnerability management procedures and tools to monitor the agency's cloud infrastructure. (Recommendation 29)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency fully implements continuous monitoring for its selected SaaS system 1, to include reviewing the continuous monitoring deliverables from the CSP. (Recommendation 30)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency's service level agreements with CSPs define the enforcement mechanisms. (Recommendation 31)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency fully implements the FedRAMP requirements, to include performing a review and risk analysis of the CSPs' FedRAMP security packages for its selected SaaS system 1. (Recommendation 32)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency's contracts with CSPs include requirements for the service providers to comply with FedRAMP security authorization requirements. (Recommendation 33)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency fully documents its procedures for responding to and recovering from security and privacy incidents for its SaaS system 1. (Recommendation 34)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.
Department of the Treasury	The Secretary of the Treasury should ensure that the agency fully documents its procedures for responding to and recovering from security and privacy incidents for its SaaS system 2. (Recommendation 35)	Open As of September 2023, Treasury has not provided an update on its efforts to address our recommendation.

See All 35 Recommendations

Full Report

Highlights Page (1 page)

Full Report (60 pages)

Accessible PDF (83 pages)

GAO Contacts

David (Dave) Hinchman

Director

HinchmanD@gao.gov

(214) 777-5719

Brian Bothwell

Director, STAA

bothwellb@gao.gov

(202) 512-6888

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Information Security

Agency evaluationsAuthenticationBest practicesCloud computingCompliance oversightContinuous monitoringCritical infrastructure protectionCybersecurityEvaluation criteriaFederal agenciesHomeland securityInformation systemsPolicies and proceduresPrivacyProgram managementRisk assessmentSoftware