Publicly Released: February 16, 2023
The objective of this audit was to determine whether DoD Components complied with Federal and DoD security requirements when using commercial cloud services.
Since 2011, the DoD has acquired commercial cloud services to meet mission needs. Commercial cloud services allow users to store, access, and share data and software using the Internet rather than locally storing information on servers or computer hard drives. DoD Component authorizing officials (AOs) are responsible for granting the system‑level authorization to operate (ATO) when using authorized commercial cloud service offerings (CSOs).
The Army, Navy, Air Force, and Marine Corps used three commercial CSOs that were Federal Risk and Authorization Management Program (FedRAMP) and DoD authorized and at the appropriate DoD impact level for the five systems reviewed. However, the AOs did not review all required documentation to consider the commercial CSOs’ risks to their systems when granting and reassessing ATOs on a periodic basis thereafter. Specifically, the AOs did not consider system risks that were identified in the supporting documentation of the authorized commercial CSOs’ FedRAMP and DoD authorization processes and continuous monitoring activities.
This occurred because all five AOs believed that the FedRAMP and DoD authorization processes were sufficient to mitigate risk to their respective systems. Unless AOs review all required documentation to consider the risks to their respective systems, DoD Components may be unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial CSOs.
We recommend that the Chief Information Officers (CIO) for the Army, Air Force, and Department of the Navy require the AOs to reevaluate the ATOs for the five cloud systems we reviewed. We also recommend that the DoD CIO emphasize the importance of following the DoD Cloud Computing Security Requirements Guide (SRG) when using commercial CSOs. In addition, we recommend that the Defense Information Systems Agency (DISA) Director coordinate with the Joint Authorization Board for FedRAMP to require that commercial cloud service providers remediate all vulnerabilities or provide documentation that describes why the risk to mission impact is low. See the Recommendation section in the body of the report for the full text of all recommendations.
Management Comments and Our Response
The Army and Department of the Navy CIOs agreed to reevaluate the ATOs for the systems reviewed to ensure compliance with the DoD Cloud Computing SRG. The Air Force Deputy CIO agreed that the Air Force would review and update guidance but did not address whether the AOs would reevaluate the ATOs. Therefore, we request that the Air Force CIO provide comments within 30 days in response to the final report to address reevaluating the ATOs.
The DoD CIO agreed to emphasize the importance of complying with the DoD Cloud Computing SRG and the DISA CIO agreed to continued collaboration with the FedRAMP Joint Authorization Board to ensure cloud service providers remediate vulnerabilities or document risk acceptance.
This report is a result of Project No. (Report No. DODIG‑2023‑052)