Watchdog dings Energy Dept over cloud security
The agency's inspector general identified multiple security risks in the way Energy Department components authorize and use cloud computing applications.
The Department of Energy isn't appropriately authorizing and monitoring many of its cloud computing services, according to an inspector general report released April 4.
The report, which looked at systems at department headquarters as well as at the National Labs and the National Nuclear Security Administration, found that some cloud services were onboarded without official authority to operate determinations, the existence of unmanaged accounts operating outside the agency's license and a lack of continuous monitoring required to maintain cloud authorizations.
"Without improvements, the department may not be adequately protected from the risks posed by the use of systems outside its physical network boundaries, such as unauthorized access and data exfiltration," the report states.
The Office of Inspector General conducted its review from January 2021 through December 2022 across five locations and included a detailed review of 17 cloud systems.
According to the report, one site had put in place a "rapid risk assessment" under which contractors could authorize cloud applications provided they were used by fewer than 100 individuals and did not store any controlled, unclassified information. Additionally, some of those systems were not included in the department's official cloud inventory.
Two systems approved by contractors were later designated as too risky for future use in an annual cloud assessment report. The IG report recommended that all cloud-based systems obtain approval to operate from federal officials.
The report also identified 627 unmanaged accounts on a file-sharing service that were linked to headquarters email accounts, of which 376 were active at the time the report was finalized. The IG reported that these unmanaged accounts contained 464 gigabytes of data and were linked to users in senior management, cybersecurity and intelligence roles.
OIG was told by the vendor in question–unnamed in the report–that there were "large numbers" of unmanaged accounts registered to official email addresses in other parts of the department. Auditors "could not determine whether sensitive information was stored in the unmanaged accounts," according to the report.
Overall, auditors found "that programs and sites generally used many more cloud computing systems than they reported to the department's OCIO." Typically, these kinds of systems were used for file sharing, video conferencing and project management. The report noted that the lack of an accurate inventory of cloud systems could hamper the agency's ability to implement zero trust architecture as required under a 2021 cybersecurity executive order.
In all, the watchdog made six recommendations to improve compliance with existing cloud authorization standards and security controls. The department concurred with five of the six, and disputed a final recommendation because the substance of the guidance was covered by the recently passed FedRAMP Authorization Act. Some of the recommendations have already been implemented with a few targeted for completion at the end of 2023.