An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Report | Feb. 15, 2023

Audit of the DoD’s Compliance with Security Requirements When Using Commercial Cloud Services (DODIG-2023-052)

Audit

Publicly Released: February 16, 2023

 

Objective

The objective of this audit was to determine whether DoD Components complied with Federal and DoD security requirements when using commercial cloud services.

 

Background

Since 2011, the DoD has acquired commercial cloud services to meet mission needs. Commercial cloud services allow users to store, access, and share data and software using the Internet rather than locally storing information on servers or computer hard drives. DoD Component authorizing officials (AOs) are responsible for granting the system‑level authorization to operate (ATO) when using authorized commercial cloud service offerings (CSOs).

 

Findings

The Army, Navy, Air Force, and Marine Corps used three commercial CSOs that were Federal Risk and Authorization Management Program (FedRAMP) and DoD authorized and at the appropriate DoD impact level for the five systems reviewed. However, the AOs did not review all required documentation to consider the commercial CSOs’ risks to their systems when granting and reassessing ATOs on a periodic basis thereafter. Specifically, the AOs did not consider system risks that were identified in the supporting documentation of the authorized commercial CSOs’ FedRAMP and DoD authorization processes and continuous monitoring activities.

This occurred because all five AOs believed that the FedRAMP and DoD authorization processes were sufficient to mitigate risk to their respective systems. Unless AOs review all required documentation to consider the risks to their respective systems, DoD Components may be unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial CSOs.

 

Recommendations

We recommend that the Chief Information Officers (CIO) for the Army, Air Force, and Department of the Navy require the AOs to reevaluate the ATOs for the five cloud systems we reviewed. We also recommend that the DoD CIO emphasize the importance of following the DoD Cloud Computing Security Requirements Guide (SRG) when using commercial CSOs. In addition, we recommend that the Defense Information Systems Agency (DISA) Director coordinate with the Joint Authorization Board for FedRAMP to require that commercial cloud service providers remediate all vulnerabilities or provide documentation that describes why the risk to mission impact is low. See the Recommendation section in the body of the report for the full text of all recommendations.

 

Management Comments and Our Response

The Army and Department of the Navy CIOs agreed to reevaluate the ATOs for the systems reviewed to ensure compliance with the DoD Cloud Computing SRG. The Air Force Deputy CIO agreed that the Air Force would review and update guidance but did not address whether the AOs would reevaluate the ATOs. Therefore, we request that the Air Force CIO provide comments within 30 days in response to the final report to address reevaluating the ATOs.

The DoD CIO agreed to emphasize the importance of complying with the DoD Cloud Computing SRG and the DISA CIO agreed to continued collaboration with the FedRAMP Joint Authorization Board to ensure cloud service providers remediate vulnerabilities or document risk acceptance.

This report is a result of Project No. (Report No. DODIG‑2023‑052)