Cybersecurity: Selected Agencies Need to Better Protect Cloud Data
Fast Facts
Cloud computing services allow access to resources like networks, storage, and software. It can cost federal agencies less to use these services than to create their own. But using cloud computing services can pose cybersecurity risks.
We looked at how some agencies protect data in the cloud. Agencies we reviewed varied in implementing key cloud computing security practices. For example, some agencies didn't fully continuously monitor security controls. Also, some agencies didn't document how to respond to or recover from cybersecurity incidents.
Our recommendations address these issues and more to ensure cloud services are safe.
A computerized image of different connecting dots that mimic internal processing routes, with a 3D image of a cloud on top.
Highlights
What GAO Found
Four selected agencies—the Departments of State, Transportation, Veterans Affairs (VA), and the Small Business Administration (SBA)—varied in their efforts to implement and ensure contractor compliance with three key cloud security practices. Specifically, one agency had fully implemented all three practices for two of its systems and one agency had fully implemented the practices for one of its systems. The agencies partially implemented the practices for the remaining five systems (see figure).
Agencies’ Implementation of Key Cloud Security Practices
aDue to sensitivity concerns, GAO is not disclosing the names of the selected systems in this report. Systems are identified by their cloud service model.
For example, agencies fully performed continuous monitoring for three of the eight selected systems. Although most of the agencies developed and implemented a plan for continuous monitoring, they did not always review continuous monitoring deliverables from the provider. Agencies fully implemented the practice regarding service level agreements for five out of eight systems. For the remaining three systems, agencies’ agreements did not consistently define performance metrics, including how they would be measured and the enforcement mechanisms.
Fully implementing the key practices will support the agencies’ efforts to ensure the confidentiality, integrity, and availability of agency information in their cloud systems. For example, without a robust continuous monitoring program, the agencies may have diminished ability to identify and mitigate control deficiencies and emerging threats. Additionally, the agencies may not promptly detect unauthorized access attempts or anomalous activity, leaving critical systems and data exposed to compromise.
Why GAO Did This Study
Federal agencies are faced with the need to accelerate their adoption of cloud services while ensuring the systems that support their missions are secure. Consequently, working with cloud service providers to effectively implement information security controls is a vital part of reducing risks to agency systems.
The Federal Information Security Modernization Act of 2014 includes a provision for GAO to periodically evaluate federal agencies’ information security policies and practices. This report assesses the extent to which selected agencies are ensuring contractor compliance with key cloud computing security practices.
To do so, GAO selected four agencies (State, Transportation, VA, SBA) based on their number of cloud authorizations, excluding agencies profiled in recent GAO reports. GAO reviewed two cloud systems at each agency, each of which represented a range of services. GAO administered a standard set of questions, compared documentation on the implementation of key cloud-related practices for each system identified in federal policies and guidance, and interviewed agency officials. GAO rated each agency as having fully, partially, or not implemented each practice for the selected systems.
Recommendations
GAO is making 12 recommendations to State, VA, and the SBA to fully implement key cloud security practices. VA agreed with the recommendations, and State neither agreed nor disagreed. SBA did not provide comments on the report. State and VA also described actions taken or planned to address the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of State | The Secretary of State should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include reviewing continuous monitoring deliverables from the cloud service provider. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of State | The Secretary of State should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for coordinating incident response and recovery with providers. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include collecting and reviewing audit logs. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include collecting and reviewing audit logs. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for measuring and tracking incident response time. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for testing incident response and recovery procedures. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the agency's service level agreements with providers define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should ensure that the agency fully implements continuous monitoring for its selected PaaS system, to include implementing a continuous monitoring plan, reviewing continuous monitoring deliverables from the cloud service provider, documenting the use of vulnerability management tools, and collecting and reviewing audit logs. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should ensure that the agency fully implements continuous monitoring for its selected SaaS system, to include documenting the use of vulnerability management tools. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should ensure that the agency fully implements incident response and recovery for its selected PaaS system, to include documenting plans or procedures for identifying, containing, and mitigating cloud security incidents; coordinating incident response and recovery with providers and the Cybersecurity and Infrastructure Security Agency; ensuring providers report incidents promptly; measuring and tracking incident response time; and testing incident response and recovery procedures. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should ensure that the agency fully implements incident response and recovery for its selected SaaS system, to include documenting plans or procedures for identifying, containing, and mitigating cloud security incidents; coordinating incident response and recovery with providers and the Cybersecurity and Infrastructure Security Agency; and measuring and tracking incident response time. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should ensure that the agency's service level agreements with providers define performance metrics, including how they are measured and the enforcement mechanisms. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|