In June 2019, the Office of Management and Budget updated the Federal Government’s cloud policy (“Cloud Smart”) to help agencies speed up the migration to secure cloud solutions where appropriate. Inspectors General are not the first line of defense in protecting federal data stored in the cloud but play a critical role in helping to safeguard this data by overseeing whether agencies are adhering to security requirements.
Migration to the cloud has been federal policy (“Cloud First”) for almost ten years. The 2018 President’s Management Agenda continues the call for the increased use of cloud-based products. Federal cloud computing is also big business. You may have seen in the news recently that Amazon is protesting a Pentagon decision to award Microsoft a massive cloud computing contract up to $10 billion in value. There are 165 cloud-based products currently authorized for use by federal agencies.
In the context of federal IT management, cloud computing broadly means any technology solution provided by an outside vendor. This includes communication, collaboration, file sharing and other products like Amazon Web Services, Google Cloud, Microsoft Azure and Office 365, Slack, Cisco WebEx, and many others. Cloud computing offers scalable computing power and storage capacity. At the same time, it introduces new data risks for managers and new challenges for the Inspector General oversight community to ensure the confidentiality, availability, and integrity of sensitive government, business, and personal data.
Five years ago, the Council of Inspectors General for Integrity and Efficiency (CIGIE) issued a report evaluating how well agencies across the federal government were adopting cloud computing technology. The CIGIE evaluation reviewed 77 commercial cloud contracts across 19 agencies and found that all had insufficient contractual protections, some agencies were not following enhanced security standards for cloud computing, and some agencies were not even aware of all the cloud computing accessible from their networks.
Imagine, for example, having to report to Congress and the NASA Administrator that NASA employees were storing sensitive agency data, including personally identifiable information and International Traffic in Arms Regulations data, on unauthorized Dropbox accounts. Only now imagine that Dropbox disclosed that it has been hacked and the stolen email addresses and passwords of 68 million users were being offered for sale. This happened, by the way, in 2016.
In 2017, the General Services Administration OIG publicly reported an earlier data breach of sensitive and personally identifiable information within GSA’s Google cloud computing environment. The sensitive information was accessible to GSA employees and contractors without a valid need to know such information. GSA had approximately 3.8 million Google Docs, 12,000 Google Groups, and 6,000 Google Sites in its Google cloud computing environment.
Since release of the 2014 CIGIE report, migration to the cloud by agencies has increased significantly, and one should reasonably expect that Federal IT managers have applied lessons learned to strengthen their cloud security posture.
The independent Inspectors General have conducted a number of cloud computing oversight audits since the 2014 report. IGs apply two major criteria in cloud computing oversight audits: FISMA controls and FedRAMP requirements. The Federal Information Security Modernization Act (FISMA) requires agencies to ensure that federal systems meet established security requirements, or controls. For example, an IT system should automatically lockout an account after a number of unsuccessful logon attempts. Such a control would help prevent a brute force attack. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program managed by GSA to provide a standardized approach to security assessment, authorization, and continuous monitoring of cloud-based solutions. FedRAMP contains additional requirements and controls above the FISMA baseline to address cloud computing. For example, agencies should identify data jurisdiction in cloud computing contracts (or in which country the data will be stored) to prevent federal data from ending up in storage in some overseas country with a notorious hacker population and little respect for the rule of law. Enhanced controls are also needed for cloud computing, for example to specify time requirements for cloud service providers to report security incidents to Federal agency customers.
So, what issues are IGs still finding across government?
Since the 2014 CIGIE report, at least 18 IGs have conducted specific audits or evaluations of their agency’s cloud computing efforts. These agencies include the IGs at the Securities and Exchange Commission (2019), Social Security Administration (2019), Small Business Administration (2019), Bureau of Consumer Financial Protection (2019), Commerce (2018), Federal Deposit Insurance Corporation (2018), Nuclear Regulatory Commission (2017), Internal Revenue Service (2017), National Archives (2017), NASA (2017), Government Printing Office (2016), Defense (2015), National Science Foundation (2015), Interior (2015), Environmental Protection Agency (2015), Transportation (2015), Energy (2015), and Treasury (2014). Even though these audits may have been scoped slightly differently to meet the needs of the individual agencies, there are nevertheless some recurring themes that stand out.
One recurring issue from 12 of these reports: agencies are not always maintaining a complete inventory of cloud computing services. As IT experts say, you can’t protect what you don’t know you have. Without an accurate inventory an agency cannot perform required continuous monitoring to ensure the confidentiality, availability, and integrity of federal data. In its 2017 audit, for example, the NASA OIG audit reported that management was focused on establishing enterprise cloud computing solutions, and, in its words, not overly concerned about smaller scale uses of unapproved cloud services. In its 2016 audit, the DOD IG found that the Department simply lacked a department-wide standard cloud definition. In the view of DOD management, the designation of an IT service as cloud depended on individual perspective.
Another recurring issue identified in 10 of the reports: agency contracts with cloud computing providers are sometimes lacking FedRAMP recommended contract clauses. In the National Archives OIG’s 2017 report, for example, the auditors attributed this to management simply not making standardization of cloud computing contract language a priority.
Missing FedRAMP security documentation were identified in 10 reports and missing FedRAMP controls were identified in 7 reports.
A less common but more troubling theme: there are still some agencies who lack a comprehensive cloud strategy. In its 2017 report, the Treasury Inspector General for Tax Administration concluded broadly in the report title: the Internal Revenue Service Does Not Have a Cloud Strategy. In its 2018 report, the FDIC OIG reported that the corporation’s cloud strategy was neither fully developed nor accepted by organizational stakeholders. In its 2019 report, the SEC OIG concluded that the commission needed to be more strategic in its approach. The OIG reported that the commission created a cloud governance committee with high aspirations but went on hiatus almost immediately after a key official left the SEC. The OIG auditors found that the commission’s Cloud First policy was, in fact, ad hoc. In ten years, cloud computing has gone from buzzword to part of the Federal IT machinery. The White House and OMB have a bold vision, but it will take more effort by agencies to execute this vision. And while they do, IGs will remain on watch.