The Office of Inspector General (OIG) at the Department of Defense (DoD) has completed an assessment as to whether DoD Components complied with Federal and DoD security requirements when using commercial cloud services.
Since 2011, the DoD has acquired commercial cloud services to meet mission needs. Commercial cloud services allow users to store, access, and share data and software using the Internet rather than locally storing information on servers or computer hard drives. DoD Component authorizing officials (AOs) are responsible for granting the system‑level authorization to operate (ATO) when using authorized commercial cloud service offerings (CSOs).
OIG found that the Army, Navy, Air Force, and Marine Corps used three commercial CSOs that were Federal Risk and Authorization Management Program (FedRAMP) and DoD authorized and at the appropriate DoD impact level for the five systems reviewed. However, OIG found that the AOs did not review all required documentation to consider the commercial CSOs’ risks to their systems when granting and reassessing ATOs on a periodic basis thereafter. Specifically, the AOs did not consider system risks that were identified in the supporting documentation of the authorized commercial CSOs’ FedRAMP and DoD authorization processes and continuous monitoring activities.
OIG said this occurred because all five AOs believed that the FedRAMP and DoD authorization processes were sufficient to mitigate risk to their respective systems. OIG believes that unless AOs review all required documentation to consider the risks to their respective systems, DoD Components may be unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial CSOs.
The watchdog recommends that the Chief Information Officers (CIO) for the Army, Air Force, and Department of the Navy require the AOs to reevaluate the ATOs for the five cloud systems OIG reviewed. OIG also recommend that the DoD CIO emphasize the importance of following the DoD Cloud Computing Security Requirements Guide (SRG) when using commercial CSOs. In addition, OIG recommend that the Defense Information Systems Agency (DISA) Director coordinate with the Joint Authorization Board for FedRAMP to require that commercial cloud service providers remediate all vulnerabilities or provide documentation that describes why the risk to mission impact is low.
In response, the Army and Department of the Navy CIOs agreed to reevaluate the ATOs for the systems reviewed to ensure compliance with the DoD Cloud Computing SRG. The Air Force Deputy CIO agreed that the Air Force would review and update guidance but did not address whether the AOs would reevaluate the ATOs.
The DoD CIO agreed to emphasize the importance of complying with the DoD Cloud Computing SRG and the DISA CIO agreed to continued collaboration with the FedRAMP Joint Authorization Board to ensure cloud service providers remediate vulnerabilities or document risk acceptance.