A Department of Energy watchdog found in a recent audit that multiple cloud-based IT systems in use at the agency were operating without the required authorization.
In an audit report published April 4, the Department of Energy’s Office of Inspector General said it found two locations at the department where cloud-based systems had not received appropriate approvals and three locations where system authorization was not complete.
Federal agencies are required by law to ensure that cloud computing services comply with the Federal Risk and Authorization Management Program (FedRAMP), which includes obtaining certain deliverables associated with continuous monitoring from service providers.
In its report, the Energy Office of Inspector General said: “Since our prior report [in 2014], the Department has substantially increased the number of cloud computing systems in use to support various functions such as email, file sharing, and information technology service management.”
“We reviewed 5 locations that reported using 227 cloud systems and selected 17 cloud systems to review in detail. Based on our test work, we determined that issues related to cybersecurity over these selected systems continue to persist,” it added.
In addition to missing authorizations, the oversight body found also that “significant amounts” of information were stored in unapproved cloud storage accounts and that the department’s inventory of cloud systems in use across the enterprise was not accurate.
The IG also found that Department of Energy programs and sites generally used more systems than were reported to the Office of the Chief Information Officer.
As a result of its findings, the watchdog made six recommendations, including that the department’s undersecretary for science and innovation require programs and contractors to submit agency authorizations to the FedRAMP Project Management Office for cloud-based systems.
The Department of Energy agreed with five out of six of the recommendations, but disagreed with a sixth recommendation, which was subsequently dropped by the watchdog after the agency provided further information.