The U.S. Department of Agriculture (USDA), the Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Treasury have not fully applied cloud security practices, according to a new report from the Government Accountability Office (GAO).
The report, which was released on May 18, finds that USDA, DHS, Labor, and Treasury varied in their efforts to implement the six key cloud security practices. Those are: defined security responsibilities; documented identity, credential, and access management (ICAM) policies and procedures; implemented continuous monitoring; defined security metrics; addressed Federal Risk and Authorization Management Program (FedRAMP) requirements; and documented procedures for incident response and recovery.
GAO’s findings stem from its work on the issue from 2021 until earlier this month.
The report emphasizes that “until these agencies fully implement” key cloud security practices identified in Federal policies and guidance, “the confidentiality, integrity, and availability of agency information contained in these cloud systems” are at increased risk.
“Increased cloud computing adoption opens the door for the Federal government to provide higher quality services at lower costs. But any successful modernization strategy must also have security measures baked throughout. Embracing new technologies cannot sacrifice product quality, cost, or cybersecurity. GAO’s recent cloud security report rightly pushes agencies to bolster their continuous monitoring efforts,” Rep. Gerry Connolly, D-Va., said in a statement about the report.
“Agency officials cited several reasons for their varied implementation of the key practices, including acknowledging that they had not documented their efforts to address the requirements,” the GAO report says.
Specifically, some of the agencies had fully implemented at least some cloud security practices across their systems, with USDA, DHS, and DoL each ensuring that they had defined security responsibilities across their systems, and had documented incident response and recovery procedures.
DHS and the Labor Department had fully documented their ICAM policies and procedures – key zero trust metric – but DoL officials had only finished implementing continuous monitoring on two of its four systems. Meanwhile, DHS officials had only partially put continuous monitoring in place on its four systems, as had USDA on its three.
USDA, DHS, and the Labor Department also failed to implement evaluation criteria or practice for defining security performance metrics with cloud service providers in their service level agreements, on at least one system.
In addition, the four agencies have fallen behind in addressing FedRAMP requirements – each of them also failing to require their cloud service providers to comply with the cloud security program on at least one system.
“As the author of the FedRAMP Authorization Act and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, I encourage all agencies to fully address their FedRAMP requirements,” Rep. Connolly stated.
In addition, GAO found that of the four Federal agencies, the Treasury Department was the only agency to have fully implemented all six security practices on at least one network, but it has yet to execute any of them across all four networks.
GAO offered a total of 35 recommendations to the four agencies.
USDA, Treasury, and DHS officials concurred with their recommendations, with DHS offering more technical detail to the GAO. Officials from the Labor Department did not agree or disagree with the recommendations but offered GAO information on its actions to address their concerns while providing other details.