Department of Defense (DoD) military service branch components may be unaware of cybersecurity risks associated with operating their systems or storing data in authorized commercial cloud service offerings (CSOs) because service branch authorizing officials (AOs) have failed to review all required documentation, according to a recent audit by the Pentagon’s Office of Inspector General (OIG).
As a result of the OIG’s findings, top technology officials at DoD and several service branches pledged to make a greater effort to coordinate their risk evaluations of commercial cloud services.
OIG reviewed cloud service use by the Army, Navy, Air Force, and Marine Corps, which used three commercial CSOs that were Federal Risk and Authorization Management Program (FedRAMP) and DoD authorized, and at the appropriate DoD impact level for the five systems reviewed.
However, the OIG found that the five AOs did not review all required documentation to consider the commercial CSOs’ risks to their systems when granting and reassessing authorizations to operate (ATOs) on a periodic basis thereafter.
Since 2011, the DoD has acquired commercial cloud services to support mission needs and other services such as training, munitions inventory, asset and program management, and email. DoD component AOs are responsible for granting the system?level ATOs authorization when using authorized commercial cloud service offerings.
According to the OIG, the five AOs did not consider identifiable system risks in the supporting documentation of the authorized commercial CSOs’ FedRAMP and DoD authorization processes and continuous monitoring activities.
“This occurred because all five AOs believed that the FedRAMP and DoD authorization processes were sufficient to mitigate risk to their respective systems,” the audit report says.
The OIG explained that unless AOs review all required documentation to consider the risks to their respective systems, “DoD Components may be unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial CSOs.”
The OIG recommended that the chief information officers (CIOs) for the Army, Navy, Air Force, and Marine Corps require the AOs to reevaluate the ATOs for the five cloud systems OIG reviewed.
The Army and Department of the Navy CIOs agreed to reevaluate the ATOs for the systems reviewed to ensure compliance with the DoD Cloud Computing Security Requirements Guide (SRG). The Air Force Deputy CIO agreed that the Air Force would review and update guidance, but did not address whether the AOs would reevaluate the ATOs.
In addition, the OIG recommended that the DoD CIO emphasize the importance of following the DoD Cloud Computing SRG when using commercial CSOs.
It also recommended that the Defense Information Systems Agency (DISA) Director coordinate with the Joint Authorization Board for FedRAMP to require that commercial cloud service providers remediate all vulnerabilities or provide documentation that describes why the risk to mission impact is low.
The DoD CIO agreed to emphasize the importance of complying with the DoD Cloud Computing SRG. The DISA CIO also agreed to continue collaborating with the FedRAMP Joint Authorization Board to ensure cloud service providers remediate vulnerabilities.