HomeRisk ManagementsFederal Agencies Urged by GAO to Implement Essential Cloud Security Practices Fully...

Federal Agencies Urged by GAO to Implement Essential Cloud Security Practices Fully – Source: www.securityweek.com

Published on

spot_img

The US Government Accountability Office (GAO) has released a report stating that the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury have not fully implemented six key cloud security practices for their systems. The GAO report, which runs up to 60 pages, claims that only one agency has fully implemented four practices for most of its systems, while three others fully implemented three practices for their systems. The remaining practices were either partially implemented or not implemented at all.

Cloud security practices that were fully implemented for almost all systems, GAO says, include defining security responsibilities, documenting ICAM policies and procedures, and documenting procedures for incident response and recovery. Partially implemented or not implemented cloud security practices include defining security metrics in a service level agreement (SLA), implementing continuous monitoring, and addressing FedRAMP requirements.

According to the GAO, the agencies need to fully implement all key cloud security practices to ensure that the confidentiality, integrity, and availability of information contained in their cloud systems are not at risk. In its report, GAO makes 35 recommendations to implement these practices, noting that while DHS has concurred with these recommendations, Agriculture, Labor, and the Treasury have neither agreed nor disagreed with them.

The Department of Agriculture needs to fully document the access authorizations for PaaS (platform-as-a-service) systems, to implement continuous monitoring for selected PaaS and SaaS (software-as-a-service) systems, define performance metrics in service level agreements with CSPs, provide the authorization letter to the FedRAMP PMO for its selected SaaS system, and require service providers to comply with FedRAMP security authorization requirements.

DHS, on the other hand, needs to fully implement continuous monitoring for selected PaaS, SaaS, and IaaS (infrastructure-as-a-service) systems, to define performance metrics in service level agreements, implement the FedRAMP requirements for selected IaaS, PaaS, and SaaS systems, and to require service providers to comply with FedRAMP security authorization requirements.

The Department of Labor needs to implement continuous monitoring for selected PaaS and IaaS systems, define performance metrics in service level agreements, fully implement the FedRAMP requirements for selected IaaS, PaaS, and SaaS systems, to provide authorization letters to the FedRAMP PMO upon issuance of the authorization, and require service providers to comply with FedRAMP security authorization requirements.

Lastly, the Department of the Treasury needs to define security responsibilities for selected SaaS systems, implement continuous monitoring for selected PaaS and SaaS systems, define enforcement mechanisms in service level agreements, implement the FedRAMP requirements, require service providers to comply with FedRAMP security authorization requirements, and document response and recovery procedures for selected SaaS systems.

The failure of these agencies to fully implement these practices has raised concerns that the confidentiality, integrity, and availability of their information systems are at risk. The GAO report further indicates that the federal agencies must prioritize implementation of all key cloud security practices to maintain the safety of their information systems.

It is worth noting that DHS has already concurred with the recommendations, while Agriculture, Labor, and the Treasury have neither agreed nor disagreed with them. The implementation of these practices is considered critical, and hence, the agencies must take concrete steps to implement them to protect their information systems from potential risks.

This report highlights a worrying trend where government agencies fail to prioritize cloud security. It follows similar reports from GAO that show cybersecurity risks in other parts of the government. For instance, an earlier report revealed that the majority of GAO’s cybersecurity recommendations were not implemented by federal agencies. Therefore, it is vital that government agencies take the necessary steps to protect their information systems from any potential threats.

Source link

Latest articles

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

MIWIC2024: Meet Rebecca Taylor, Threat Intelligence Knowledge Manager at Secureworks

The Most Inspiring Women in Cyber Awards event, organized by Eskenzi PR in collaboration...

More like this

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...
en_USEnglish