Federal Agencies Face Cloud Cybersecurity Challenges

Federal agencies plan to spend billions of dollars each year to support their IT and cybersecurity efforts, including moving IT assets to secure, low-cost commercial cloud services. Government agencies can use cloud computing to access IT resources, such as B. Servers storing digital files than ownership and maintenance of such resources would require.

The Government Accountability Office (GAO) has identified challenges in four areas that government agencies must address to reap the full benefits of the transition to cloud services. In particular, government agencies face challenges in ensuring cybersecurity, procuring cloud services, maintaining a skilled workforce, and tracking costs and savings.

A snapshot published by GAO on September 28, discusses the regulator’s work in this area and provides recommendations that can help agencies in this transition.

It is worth noting that some of GAO’s previous work was conducted prior to May 2021, when the President issued Executive Order 14028, which set out the goal of modernizing federal cybersecurity by accelerating the transition to secure cloud services, adopting security best practices, and advancing towards Zero Trust has been detailed in Cybersecurity Architectural Plans.

Ensuring cyber security

In 2011, the Office of Management and Budget (OMB) established the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach for selecting and authorizing use of cloud services that meet federal security requirements.

In December 2019, GAO reported that although all 24 major federal agencies participated in FedRAMP, many of those agencies continued to use cloud services not authorized by the program. Additionally, the four major agencies selected for a detailed review did not always include the required information in their cloud systems’ security plans. summarize security control test results in security assessment reports; and identify required information in remediation plans that list cloud service deficiencies and how they will be mitigated.

GAO found that one cause of these weaknesses was that FedRAMP’s requirements and guidance for implementing these control activities were not always clear and the program’s process for monitoring the status of security controls for cloud services was limited.

Hence GAO recommended that OMB holds agencies responsible for the authorization of cloud services via FedRAMP. The watchdog also recommended that federal agencies improve implementation of the FedRAMP program, including clarifying guidance on program requirements and responsibilities. At the time, OMB responded to GAO’s recommendation by stating that OMB had no mechanism to enforce agency compliance with FedRAMP guidance.

Procurement of cloud services

GAO notes that an important part of procuring cloud services is to include a service level agreement in the contract. These agreements define the level of service and performance that the agency expects from the contractor. In April 2016, the Watchdog reported that five of the major agencies it selected for review had not always included key practices for these arrangements in their cloud service contracts. For example, authorities have not always specified what constitutes a security breach and the responsibilities for notifying the authority; how data and networks are managed; and the range of enforceable consequences for failure to comply with the agreement.

GAO found that this was primarily due to the lack of guidance that fully addressed key practices. She therefore recommended that satisfactory guidelines be developed. Some agencies, such as the Department of Defense (DOD) and Department of Homeland Security (DHS), concurred with the recommendation. The DOD stated that it will update its cloud computing guidelines and contract guidelines as appropriate. DHS said it will create common guidelines for cloud computing service level agreements. In June, the Cybersecurity and Infrastructure Security Agency (CISA) released the second version of their Technical Reference Architecture for Cloud Security (TRA). The DHS component, along with the United States Digital Service and FedRAMP, developed the TRA to guide secure agency migration to the cloud by defining considerations for shared services, cloud migration, and cloud security posture management be clarified.

Obtain skilled workers

Skilled IT staff is key to supporting the federal government’s cloud adoption efforts. However, GAO has previously identified cloud-related staffing issues at three federal agencies.

The Coast Guard has not included any new cloud-related skills and a skills gap analysis for cloud personnel in its workforce development strategy. GAO recommended In July of this year, the Coast Guard updated the service’s cloud strategy and other relevant documentation to include a cross-section of new and old skills and job categories and to conduct a skills gap analysis. The Coast Guard agreed and expects to complete work by May 2023.

GAO also found that the DOD had not strategically planned to communicate with employees to prepare them for changes that would occur due to the shift to cloud services. DOD stated at the time that it intended to conduct a zero-based review of cyber and IT personnel and present the findings to Congress. The ministry has also said it will update or issue guidance on workforce planning and application rationalization by September 2024.

Additionally, GAO said in July 2022 that the State Department’s strategic plan does not include performance measurements, targets, or goals to monitor progress in clarifying the tasks and requirements needed to support the cloud environment. State said it is in the process of drafting a strategic IT workforce plan for the public and foreign service, which is expected to be completed by the first quarter of fiscal 2023.

Track costs and savings

Federal policies and guidelines have emphasized the importance of reducing the acquisition and operating costs of purchasing cloud services through cloud computing adoption. However, in April 2019, GAO reported that federal agencies had encountered challenges tracking and reporting cloud spend and savings data. For example, federal agencies often used inconsistent data to calculate cloud spend and weren’t clear on what costs they needed to track. In addition, the authorities had difficulty tracking savings data systematically, stating that the OMB guidelines did not require them to explicitly report savings from cloud implementations.

GAO is not alone in its concern for federal IT cloud security. For example, after less than satisfactory Results Regarding the information and cybersecurity practices of the Department of Transportation (DOT), the Office of the Inspector General (OIG) of the Department of Transportation (DOT) initiated two additional audits in November 2021 to determine the Department’s cybersecurity standards. OIG said at the time there was “uncertainty as to whether DOT is reporting a complete inventory of its cloud systems, DOT’s cloud systems are secure, and DOT has a strategy to meet the administration’s cybersecurity objectives.”