OIG reports on DoD usage of commercial cloud services

The Department of Defense (DoD) Office of Inspector General (OIG) has completed an assessment of whether DoD components meet federal and DoD security requirements when using commercial cloud services.

Since 2011, the Department of Defense has acquired commercial cloud services to meet mission needs. Commercial cloud services allow users to store, access, and share data and software over the Internet instead of storing information locally on servers or computer hard drives. DoD Component Authorizing Officials (AOs) are responsible for granting the system level operating license (ATO) when using authorized commercial cloud service offerings (CSOs).

The OIG found that the Army, Navy, Air Force, and Marine Corps deployed three commercial CSOs that were Federal Risk and Authorization Management Program (FedRAMP) and DoD authorized and had the appropriate DoD impact level for the five systems reviewed exhibited. However, the OIG found that AOs have not reviewed all the necessary documentation to consider the risks that commercial CSOs pose to their systems when ATOs are subsequently granted and reassessed on a regular basis. In particular, the AOs did not consider systemic risks identified in the supporting documentation of the FedRAMP and DoD authorization processes and continuous monitoring activities of the authorized commercial CSOs.

According to the OIG, this happened because all five AOs felt the FedRAMP and DoD authorization processes were sufficient to mitigate the risk to their respective systems. OIG believes that if the AOs do not review all the necessary documentation to assess the risks to their respective systems, DoD components may not be aware of vulnerabilities and cybersecurity risks related to the operation of their systems or the storage of their data in the authorized commercial CSOs take into account.

The Watchdog recommends that the Chief Information Officers (CIO) for the Army, Air Force and Navy Departments ask AOs to reevaluate the ATOs for the five cloud systems reviewed by the OIG. OIG also recommends that the DoD CIO emphasize the importance of following the DoD Cloud Computing Security Requirements Guide (SRG) when employing commercial CSOs. In addition, the OIG recommends that the director of the Defense Information Systems Agency (DISA) coordinate with the Joint Authorization Board for FedRAMP to require that commercial cloud service providers fix any vulnerabilities or provide documentation describing why Risk of impact on the mission is low.

In response, the Army and Department of Navy CIOs agreed to re-evaluate the ATOs for the reviewed systems to ensure compliance with the DoD Cloud Computing SRG. The Air Force Deputy CIO agreed that the Air Force would review and update the guidance, but did not address whether the AOs would reevaluate the ATOs.

The DoD CIO agreed to emphasize the importance of complying with the DoD Cloud Computing SRG, and the DISA CIO agreed to continue working with the FedRAMP Joint Authorization Board to ensure cloud service providers address vulnerabilities or document risk acceptance.

Read the full report at DoD OIG