Pentagon didn't check risks before authorizing cloud services, watchdog finds
An audit conducted by the Defense Department’s inspector general found agency components “may be unaware of known vulnerabilities and cybersecurity risks associated with operating their systems or storing their data.”
Department of Defense officials who authorized the use of commercial cloud services across components of the agency did not review all required documentation needed to determine potential security concerns, leaving DOD’s armed forces unaware of vulnerabilities and cybersecurity risks across their systems, according to an audit publicly released by the agency’s Office of Inspector General on Feb. 16.
The partially redacted report was conducted “to determine whether DOD components complied with federal and DOD security requirements when using commercial cloud services.” The IG “nonstatistically” selected five cloud systems—which used three different commercial cloud service offerings, or CSOs—for review from the Air Force, Army, Marine Corps and Navy, all of which, the audit said, were “Federal Risk and Authorization Management Program (FedRAMP) and DOD authorized and at the appropriate DOD impact level for the five systems reviewed.”
Since 2011, the DOD “has acquired commercial cloud services to meet mission needs,” with the agency’s component authorizing officials—or AOs—”responsible for granting the system‑level authorization to operate (ATO) when using authorized commercial cloud service offerings.” And the agency has placed a growing emphasis on acquiring and leveraging commercial cloud services in recent years, with the IG’s audit noting that the agency “spent approximately $893 million on commercial cloud services in FY 2020, $940 million in FY 2021 and requested over $1.12 billion for FY 2022.”
The IG found, however, that the five AOs ”did not review all required documentation to consider the commercial CSOs’ risks to their systems when granting and reassessing [authorizations to operate] on a periodic basis thereafter.”
“Specifically, the AOs did not consider system risks that were identified in the supporting documentation of the authorized commercial CSOs’ FedRAMP and DOD authorization processes and continuous monitoring activities,” the audit added. “This occurred because all five AOs believed that the FedRAMP and DOD authorization processes were sufficient to mitigate risk to their respective systems.”
Without properly ensuring that AOs are reviewing all required documentation to identify potential risks to DOD systems, the audit warned that the agency “may be at an increased risk of successful cybersecurity attacks.”
“AOs play a vital role in supporting the DOD’s efforts to manage risk to the DOD’s Information Network when granting ATOs,” the audit said. “However, if AOs do not review all required documentation when considering the authorized commercial CSOs’ risks to their respective systems before granting and periodically reassessing the ATO thereafter, DOD components may be unaware of known vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in authorized commercial CSOs.”
The IG’s report recommended that the chief information officers for the Air Force, Army, Marine Corps and Navy “require the AOs to reevaluate the ATOs for the five cloud systems;” that the DOD’s chief information officer “emphasize the importance of following the DOD Cloud Computing Security Requirements Guide;” and that the director of the Defense Information Systems Agency, or DISA, coordinate with FedRAMP’s Joint Authorization Board “to require that commercial cloud service providers remediate all vulnerabilities or provide documentation that describes why the risk to mission impact is low.”
The DOD’s CIO and DISA’s CIO broadly agreed with the IG’s recommendations. While the CIOs for the Army and Navy both agreed to reevaluate their ATOs, the Air Force’s deputy CIO “agreed that the Air Force would review and update guidance, but did not address whether the AOs would reevaluate the ATOs.”