(U) Audit of the DoD's Compliance with Security Requirements When Using Commercial Cloud Services

Abstract

(U) Objective (U) The objective of this audit was to determine whether DoD Components complied with Federal and DoD security requirements when using commercial cloud services. (U) Background (U) Since 2011, the DoD has acquired commercial cloud services to meet mission needs. Commercial cloud services allow users to store, access, and share data and software using the Internet rather than locally storing information on servers or computer hard drives. DoD Component authorizing officials (AOs) are responsible for granting the system-level authorization to operate (ATO) when using authorized commercial cloud service offerings (CSOs). (U) Findings (U) The Army, Navy, Air Force, and Marine Corps used three commercial CSOs that were Federal Risk and Authorization Management Program (FedRAMP) and DoD authorized and at the appropriate DoD impact level for the five systems reviewed. However, the AOs did not review all required documentation to consider the commercial CSOs' risks to their systems when granting and reassessing ATOs on a periodic basis thereafter. Specifically, the AOs did not consider system risks that were identified in the supporting documentation of the authorized commercial CSOs' FedRAMP and DoD authorization processes and continuous monitoring activities. (U) This occurred because all five AOs believed that the FedRAMP and DoD authorization processes were sufficient (U) to mitigate risk to their respective systems. Unless AOs review all required documentation to consider the risks to their respective systems, DoD Components may be unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial CSOs. (U) Recommendations (U) We recommend that the Chief Information Officers (CIO) for the Army, Air Force, and Department of the Navy require the AOs to reevaluate the ATOs for the five cloud systems we reviewed.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Feb 15, 2023
Accession Number
AD1193811

Entities

People

  • Carol N. Gorman

Organizations

  • Office of the Inspector General, U.S. Department of Defense

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Acquisition
  • Air Force
  • Application Software
  • Cloud Computing
  • Computer Network Security
  • Computer Security Techniques
  • Computers
  • Cyberattacks
  • Cybersecurity
  • Cyberspace Operations
  • Data Leakages
  • Department Of Defense
  • Electronic Mail
  • Governments
  • Information Security
  • Information Systems
  • Infrastructure
  • Marine Corps
  • Risk
  • Risk Management
  • Security
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Military Training and Readiness Simulation
  • Public Financial Management and Budgeting
  • Software Engineering.

Technology Areas

  • Cyber