The Department of Energy (DoE) has not been keeping up with adequately monitoring and authorizing its cloud services, according to a new report released by the agency’s Office of Inspector General (OIG).
Based on an audit conducted from January 2021 to December 2022, the report finds “weaknesses” in how the agency maintained inventories of cloud-based systems.
“We identified concerns with some of these cloud-based systems that could have introduced a higher level of risk to the site that the Authorizing Official was unaware of and had not explicitly accepted,” said the OIG.
“Although the Department had implemented security measures over many of its cloud-based technologies and services, additional efforts are necessary,” the OIG said. “Specifically, we found weaknesses with the Department’s processes to authorize, monitor, assess, control, and inventory cloud-based services used by its programs and sites.”
The report found that two DoE locations had used cloud-based systems without proper approval, and three other locations that had not “conducted complete system authorizations for cloud systems, to include identifying, implementing, and assessing.”
“Without improvements, the Department may not be adequately protected from the risks posed by the use of systems outside its physical network boundaries, such as unauthorized access and data exfiltration,” said the OIG.
The report lays out six for DoE to remedy the security concerns:
- Ensure all cloud-based systems are appropriately authorized by Federal officials, including selection and assessment of all relevant security controls;
- Ensure all cloud-based systems are appropriately reported for inclusion in the Department’s cloud inventory;
- Submit agency authorizations to the FedRAMP Project Management Office for cloud- based systems that are FedRAMP-authorized;
- Modify continuous monitoring plans, policies, and procedures to include monitoring results from FedRAMP, where applicable;
- Implement monitoring or security controls to identify and prevent unmanaged cloud systems; and
- Explain when it is appropriate to use cloud systems that have not been FedRAMP- authorized.
DoE concurred with all recommendations except the last, saying “that if a system is not in the FedRAMP Marketplace, there are directions for an organization to meet specific security protocols during the assessment and authorization process of that cloud service system prior to being allowed onto the enterprise network,” according to the OIG report.