Movies and television shows often depict the United States government as a technically-advanced entity, capable of handling any problem with a carefully-considered and debated push of a button. However, the truth is far from inspiring: a recently released government report shows that many departments and agencies lack basic security controls for cloud computing, which could put a significant amount of information at risk. This revelation highlights the importance of proper cloud implementation and government cloud security in an ever-involving world.
The Office of Management and Budget (OMB) conducted a cloud security assessment, focusing on 11 “cybersecurity areas” within 24 federal agencies, such as risk management, response and reporting, and more. According to their investigation, which was outlined in the 2014 Federal Information Security Management Act (FISMA) report, 14 out of the 24 agencies lacked at least one major component of those programs. Moreover, at least three departments were found to be incapable of tracking and managing risks affecting virtual or cloud environments.
To make matters worse, the OMB also found that the agencies lacked programs for managing cloud consultants and broker services, with at least three departments lacking a complete inventory of the contractor systems and services in the cloud. Additionally, six departments had cloud-based systems that were not compliant with various federal regulations. Some even resided in the public cloud, a major risk to government cloud security.
The news wasn’t all bad: the OMB noted that six cloud service providers had achieved Agency Authorizations under FedRAMP, the government’s risk management program for cloud services, while another four earned Provisional Authorizations under the same system. In all, a total of 81 cloud systems were found to be FedRAMP-compliant. However, the organization said that a number of issues currently threaten government cloud security, from failure to terminate or deactivate old accounts to detecting and removing unauthorized connections. As a result, the FISMA report stated that significant improvements need to be made in terms of federal government cybersecurity, especially as the Obama Administration continues a “cloud-first” policy. With this announcement, many government agencies will likely be investing in cloud assessment services and working to ensure that they are working appropriately with their cloud storage brokers. After all, our government cloud security is too important to leave vulnerable.