IGs: Weak Enforcement Puts Fed Cloud Data at Risk
Agencies Can't Determine If Providers Furnish Adequate SecurityA council of federal agencies' inspectors general says government data stored on the servers of cloud service providers could be at risk because of insufficient enforcement of government rules regarding contracts with the providers.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The Council of the Inspectors General on Integrity and Efficiency has issued a report that concludes that none of 19 participating agencies in a study conducted by the council had adequate controls in place to manage their cloud service providers and the data that resides within their cloud systems.
"This subjects federal data to the risk of loss or exposure to unauthorized parties and could compromise both federal program and personal data," the report says.
The report cites 42 contracts worth $317 million that fail to specify how cloud service providers' performance should be measured, reported or monitored. "The agencies are not able to ensure cloud service providers meet adequate service levels, which increases the risk that agencies could misspend or ineffectively use government funds," the report says.
The White House Office of Management and Budget established the Federal Risk Authorization and Management Program, known as FedRAMP, in 2011 to help simplify the process of vetting cloud service providers (see FedRAMP Seen as Big Gov't Cost Saver). OMB also created the Joint Authorization Board and FedRAMP Program Management Office to ease the FedRAMP authorization process. But as the council report points out, neither has the authority to enforce FedRAMP compliance within the individual agencies.
No Incentive to Comply
"Since there is no discernable penalty for noncompliance and no singular governing body with the authority to enforce compliance, the agencies do not have an incentive to timely comply with FedRAMP requirements," the report says.
An OMB official says the White House appreciates the council's observations and attention to this critical matter. "Federal agencies have already made significant progress on a number of fronts not noted in the report, to ensure the security of cloud computing environments," the official says. "We will work with agencies as they fully implement current cloud policy and FedRAMP authorizations, and we will continue to improve oversight as cloud capabilities and programs continue to mature."
A representative of the council, Catherine Grant, says improving OMB oversight is a positive step in the right direction. "The major message of the report is that business as usual has not so far resulted in adherence to established best practices or other requirements for cloud computing, timely adherence to FedRAMP requirements or even accurate cloud systems inventories for the 19 departments and agencies reviewed," says Grant, a congressional and public affairs liaison official at the Department of Education's Office of Inspector General.
OMB, in late 2011, issued a memorandum that addressed the security authorization process for cloud services. It requires each executive department and agency to use FedRAMP when conducting risk assessments and security authorizations. The government has identified 160 instances of agencies employing cloud providers using the FedRAMP authorization process since 2011.
Deadline Missed
Among FedRAMP's chief goals is standardizing information security requirements, including incorporating the baseline security controls found in guidance published by the National Institute of Standards and Technology. According to OMB, agencies had to comply with FEDRAMP by June 5. But the council report says most agencies failed to adequately plan to meet that deadline.
In its recommendations, the Council of the Inspectors General suggests that OMB establish standardized contract clauses that agencies must use when adopting cloud services, determine how best to enforce FedRAMP compliance, establish a process and reporting mechanism to ensure agencies require providers to meet FedRAMP authorization requirements in a timely manner and incorporate routine reviews of agency information systems inventories to the continuous monitoring process.